feat(ttp): E.3.8 R0041-R0048 email cohort

8 YAMLs for the email cohort per Appendix B: open-relay abuse,
mass phishing, phishing-kit X-Mailer signatures, IDN/punycode
URLs, sender masquerade, malicious attachment, BEC, encoded
payload in body. EmailLifter (E.3.12) consumes by rule_id.

test_email_rules.py: YAML-present + inert-in-v0 + xfail(strict)
precision case gated on E.3.12.

rules/ttp/R0041.yaml

@@ -0,0 +1,24 @@
+rule_id: R0041
+rule_version: 1
+name: open_relay_abuse
+description: |
+  High RCPT count with a foreign From — abuse of an open relay to
+  push outbound mail. EmailLifter (E.3.12).
+applies_to:
+  - email
+match:
+  kind: lifter:open_relay
+  rcpt_threshold: 10
+  require_foreign_from: true
+emits:
+  - tactic: TA0040
+    technique_id: T1496
+    confidence: 0.85
+  - tactic: TA0042
+    technique_id: T1586
+    sub_technique_id: T1586.002
+    confidence: 0.85
+evidence_fields:
+  - rcpt_count
+  - from_domain
+  - mail_from_domain

rules/ttp/R0042.yaml

@@ -0,0 +1,19 @@
+rule_id: R0042
+rule_version: 1
+name: mass_phishing_campaign
+description: |
+  RCPT count above threshold + body simhash matching across N
+  recipients in a window. EmailLifter (E.3.12).
+applies_to:
+  - email
+match:
+  kind: lifter:email_mass_phish
+  rcpt_threshold: 25
+  body_simhash_window_h: 24
+emits:
+  - tactic: TA0001
+    technique_id: T1566
+    confidence: 0.85
+evidence_fields:
+  - rcpt_count
+  - body_simhash

rules/ttp/R0043.yaml

@@ -0,0 +1,22 @@
+rule_id: R0043
+rule_version: 1
+name: phishing_kit_xmailer
+description: |
+  X-Mailer header matches a curated phishing-kit signature DB
+  (PHPMailer-of-known-kits, GreatHorn known-bad, etc.).
+applies_to:
+  - email
+match:
+  kind: lifter:email_xmailer_kit
+  catalog: phishing_kits
+emits:
+  - tactic: TA0001
+    technique_id: T1566
+    confidence: 0.9
+  - tactic: TA0042
+    technique_id: T1588
+    sub_technique_id: T1588.001
+    confidence: 0.85
+evidence_fields:
+  - x_mailer
+  - matched_kit

rules/ttp/R0044.yaml

@@ -0,0 +1,23 @@
+rule_id: R0044
+rule_version: 1
+name: idn_homoglyph_url
+description: |
+  IDN / Punycode (xn--) URL in email body. Two emits: masquerade
+  (T1036.005) and credential-harvest landing-page (T1566.002).
+applies_to:
+  - email
+match:
+  kind: lifter:email_idn_url
+  punycode_prefix: 'xn--'
+emits:
+  - tactic: TA0005
+    technique_id: T1036
+    sub_technique_id: T1036.005
+    confidence: 0.9
+  - tactic: TA0001
+    technique_id: T1566
+    sub_technique_id: T1566.002
+    confidence: 0.9
+evidence_fields:
+  - matched_url
+  - decoded_idn

rules/ttp/R0045.yaml

@@ -0,0 +1,25 @@
+rule_id: R0045
+rule_version: 1
+name: sender_masquerade
+description: |
+  From / Return-Path / MAIL FROM domain mismatch, or DKIM/SPF
+  fail signal in Authentication-Results. Lifter composes the three
+  header signals into a single masquerade verdict.
+applies_to:
+  - email
+match:
+  kind: lifter:email_sender_masquerade
+  signals:
+    - from_returnpath_mismatch
+    - from_mailfrom_mismatch
+    - dkim_fail
+    - spf_fail
+emits:
+  - tactic: TA0005
+    technique_id: T1036
+    confidence: 0.85
+evidence_fields:
+  - from_domain
+  - return_path_domain
+  - mail_from_domain
+  - auth_results

rules/ttp/R0046.yaml

@@ -0,0 +1,33 @@
+rule_id: R0046
+rule_version: 1
+name: malicious_attachment
+description: |
+  Macro-bearing Office doc, .lnk, .iso/.img, password-protected
+  archive, or HTML-smuggling pattern. Lifter inspects the
+  attachment table (file_type + ole_macros + maldoc verdict).
+applies_to:
+  - email
+match:
+  kind: lifter:email_malicious_attachment
+  triggers:
+    - office_macro
+    - lnk
+    - iso
+    - img
+    - protected_archive
+    - html_smuggling
+    - mal_hash_match
+emits:
+  - tactic: TA0002
+    technique_id: T1204
+    sub_technique_id: T1204.002
+    confidence: 0.9
+  - tactic: TA0001
+    technique_id: T1566
+    sub_technique_id: T1566.001
+    confidence: 0.9
+evidence_fields:
+  - filename
+  - mime_type
+  - matched_trigger
+  - file_hash

rules/ttp/R0047.yaml

@@ -0,0 +1,31 @@
+rule_id: R0047
+rule_version: 1
+name: bec_pattern
+description: |
+  Business email compromise: urgent-wire / CEO-impersonation
+  language + a request-for-action shape (gift cards, wire,
+  payroll change). Subject + body composite signal.
+applies_to:
+  - email
+match:
+  kind: lifter:email_bec
+  subject_keywords:
+    - urgent
+    - wire
+    - invoice
+    - payroll
+    - gift card
+  body_action_keywords:
+    - send
+    - transfer
+    - update banking
+    - confidential
+emits:
+  - tactic: TA0001
+    technique_id: T1566
+    sub_technique_id: T1566.003
+    confidence: 0.85
+evidence_fields:
+  - subject
+  - matched_subject_kw
+  - matched_body_kw

rules/ttp/R0048.yaml

@@ -0,0 +1,23 @@
+rule_id: R0048
+rule_version: 1
+name: encoded_payload_in_body
+description: |
+  Base64-encoded blob ≥ N bytes embedded in the email body —
+  classic obfuscated-payload smuggling.
+applies_to:
+  - email
+match:
+  kind: lifter:email_encoded_payload
+  min_bytes: 4096
+  encoding: base64
+emits:
+  - tactic: TA0011
+    technique_id: T1071
+    sub_technique_id: T1071.003
+    confidence: 0.85
+  - tactic: TA0005
+    technique_id: T1027
+    confidence: 0.9
+evidence_fields:
+  - encoded_bytes
+  - decoded_preview