From a65a81bdd78545a0f21129da98dda47defa6b95b Mon Sep 17 00:00:00 2001 From: Daniel Bolton Date: Fri, 15 May 2026 16:34:39 -0500 Subject: [PATCH 1/2] Create headers_x_source_auth_sender_mismatch.yml --- .../headers_x_source_auth_sender_mismatch.yml | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 detection-rules/headers_x_source_auth_sender_mismatch.yml diff --git a/detection-rules/headers_x_source_auth_sender_mismatch.yml b/detection-rules/headers_x_source_auth_sender_mismatch.yml new file mode 100644 index 00000000000..6f3ea97ff56 --- /dev/null +++ b/detection-rules/headers_x_source_auth_sender_mismatch.yml @@ -0,0 +1,25 @@ +name: "Headers: X-Source-Auth mismatch with sender address" +description: "Detects messages where the X-Source-Auth header contains a different email address than the sender, indicating potential spoofing or mismatched authentication." +type: "rule" +severity: "medium" +source: | + type.inbound + // X-Source-Auth doesn't match sender + and any(headers.hops, + any(.fields, + .name == 'X-Source-Auth' + and .value != sender.email.email + and strings.parse_email(.value).email is not null + ) + ) +tags: + - "Attack surface reduction" +attack_types: + - "BEC/Fraud" + - "Credential Phishing" +tactics_and_techniques: + - "Spoofing" + - "Evasion" +detection_methods: + - "Header analysis" + - "Sender analysis" From 1646a6d68e327e4bae83c4516b035f9dd3429447 Mon Sep 17 00:00:00 2001 From: CI Bot Date: Fri, 15 May 2026 21:36:28 +0000 Subject: [PATCH 2/2] Auto-format MQL and add rule IDs --- detection-rules/headers_x_source_auth_sender_mismatch.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/detection-rules/headers_x_source_auth_sender_mismatch.yml b/detection-rules/headers_x_source_auth_sender_mismatch.yml index 6f3ea97ff56..d573778515e 100644 --- a/detection-rules/headers_x_source_auth_sender_mismatch.yml +++ b/detection-rules/headers_x_source_auth_sender_mismatch.yml @@ -23,3 +23,4 @@ tactics_and_techniques: detection_methods: - "Header analysis" - "Sender analysis" +id: "7756bf2c-4ef4-5112-8109-5f91b085171f"