rule_id: R0042
rule_version: 1
name: mass_phishing_campaign
description: |
  RCPT count above threshold + body simhash matching across N
  recipients in a window. EmailLifter (E.3.12).
applies_to:
  - email
match:
  kind: lifter:email_mass_phish
  rcpt_threshold: 25
  body_simhash_window_h: 24
emits:
  - tactic: TA0001
    technique_id: T1566
    confidence: 0.85
evidence_fields:
  - rcpt_count
  - body_simhash