diff --git a/detection-rules/headers_x_source_auth_sender_mismatch.yml b/detection-rules/headers_x_source_auth_sender_mismatch.yml
new file mode 100644
index 00000000000..d573778515e
--- /dev/null
+++ b/detection-rules/headers_x_source_auth_sender_mismatch.yml
@@ -0,0 +1,26 @@
+name: "Headers: X-Source-Auth mismatch with sender address"
+description: "Detects messages where the X-Source-Auth header contains a different email address than the sender, indicating potential spoofing or mismatched authentication."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  // X-Source-Auth doesn't match sender
+  and any(headers.hops,
+          any(.fields,
+              .name == 'X-Source-Auth'
+              and .value != sender.email.email
+              and strings.parse_email(.value).email is not null
+          )
+  )
+tags:
+  - "Attack surface reduction"
+attack_types:
+  - "BEC/Fraud"
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Spoofing"
+  - "Evasion"
+detection_methods:
+  - "Header analysis"
+  - "Sender analysis"
+id: "7756bf2c-4ef4-5112-8109-5f91b085171f"