feat(ttp): E.3.8 R0041-R0048 email cohort
8 YAMLs for the email cohort per Appendix B: open-relay abuse, mass phishing, phishing-kit X-Mailer signatures, IDN/punycode URLs, sender masquerade, malicious attachment, BEC, encoded payload in body. EmailLifter (E.3.12) consumes by rule_id. test_email_rules.py: YAML-present + inert-in-v0 + xfail(strict) precision case gated on E.3.12.
This commit is contained in:
25
rules/ttp/R0045.yaml
Normal file
25
rules/ttp/R0045.yaml
Normal file
@@ -0,0 +1,25 @@
|
||||
rule_id: R0045
|
||||
rule_version: 1
|
||||
name: sender_masquerade
|
||||
description: |
|
||||
From / Return-Path / MAIL FROM domain mismatch, or DKIM/SPF
|
||||
fail signal in Authentication-Results. Lifter composes the three
|
||||
header signals into a single masquerade verdict.
|
||||
applies_to:
|
||||
- email
|
||||
match:
|
||||
kind: lifter:email_sender_masquerade
|
||||
signals:
|
||||
- from_returnpath_mismatch
|
||||
- from_mailfrom_mismatch
|
||||
- dkim_fail
|
||||
- spf_fail
|
||||
emits:
|
||||
- tactic: TA0005
|
||||
technique_id: T1036
|
||||
confidence: 0.85
|
||||
evidence_fields:
|
||||
- from_domain
|
||||
- return_path_domain
|
||||
- mail_from_domain
|
||||
- auth_results
|
||||
Reference in New Issue
Block a user