[PR #3464] added rule: Suspicious mailer received from Gmail servers

Author: github-actions[bot]

detection-rules/3464_asr_suspicious_mailer_gmail.yml

@@ -0,0 +1,33 @@
+name: "Suspicious mailer received from Gmail servers"
+description: "Mailer is atypical of sends from Gmail infrastructure. Observed sending callback phishing and general spam."
+type: "rule"
+severity: "low"
+source: |
+  type.inbound
+  and (
+    strings.ilike(headers.mailer,
+                  "Microsoft CDO for Windows 2000",
+                  "PHPMailer*",
+                  "nodemailer*"
+    )
+    or any(headers.hops, any(.fields, .value == "Produced By Microsoft MimeOLE"))
+  )
+  and (
+    any(headers.hops, .index == 0 and .received.server.raw in ("smtp.gmail.com", "mx.google.com"))
+    or headers.return_path.domain.root_domain in ("gmail.com", "googlemail.com")
+  )
+  and not profile.by_sender().any_messages_benign
+tags:
+ - "Attack surface reduction"
+attack_types:
+  - "Callback Phishing"
+  - "Spam"
+tactics_and_techniques:
+  - "Free email provider"
+  - "Social engineering"
+detection_methods:
+  - "Header analysis"
+id: "f21c50a0-759b-506a-8929-51a47ab7c49d"
+og_id: "f05f04ee-1234-5a28-98d9-54510c62e1f6"
+testing_pr: 3464
+testing_sha: 66b6e704e8ab84e05055053ab6a514b34ce3bd98