rule_id: R0043
rule_version: 1
name: phishing_kit_xmailer
description: |
  X-Mailer header matches a curated phishing-kit signature DB
  (PHPMailer-of-known-kits, GreatHorn known-bad, etc.).
applies_to:
  - email
match:
  kind: lifter:email_xmailer_kit
  catalog: phishing_kits
emits:
  - tactic: TA0001
    technique_id: T1566
    confidence: 0.9
  - tactic: TA0042
    technique_id: T1588
    sub_technique_id: T1588.001
    confidence: 0.85
evidence_fields:
  - x_mailer
  - matched_kit