anti
1ad15470a1
8 YAMLs for the email cohort per Appendix B: open-relay abuse, mass phishing, phishing-kit X-Mailer signatures, IDN/punycode URLs, sender masquerade, malicious attachment, BEC, encoded payload in body. EmailLifter (E.3.12) consumes by rule_id. test_email_rules.py: YAML-present + inert-in-v0 + xfail(strict) precision case gated on E.3.12.
20 lines
415 B
YAML
20 lines
415 B
YAML
rule_id: R0042
|
|
rule_version: 1
|
|
name: mass_phishing_campaign
|
|
description: |
|
|
RCPT count above threshold + body simhash matching across N
|
|
recipients in a window. EmailLifter (E.3.12).
|
|
applies_to:
|
|
- email
|
|
match:
|
|
kind: lifter:email_mass_phish
|
|
rcpt_threshold: 25
|
|
body_simhash_window_h: 24
|
|
emits:
|
|
- tactic: TA0001
|
|
technique_id: T1566
|
|
confidence: 0.85
|
|
evidence_fields:
|
|
- rcpt_count
|
|
- body_simhash
|