From e091b4d13dce8d9caad7fc200217a521046ed864 Mon Sep 17 00:00:00 2001
From: Bryan Campbell <8331265+brycampbell@users.noreply.github.com>
Date: Thu, 14 Aug 2025 17:08:01 +0100
Subject: [PATCH 1/2] Create headers_suspicious_outdated_clients.yml

---
 .../headers_suspicious_outdated_clients.yml   | 39 +++++++++++++++++++
 1 file changed, 39 insertions(+)
 create mode 100644 detection-rules/headers_suspicious_outdated_clients.yml

diff --git a/detection-rules/headers_suspicious_outdated_clients.yml b/detection-rules/headers_suspicious_outdated_clients.yml
new file mode 100644
index 00000000000..658d1e41082
--- /dev/null
+++ b/detection-rules/headers_suspicious_outdated_clients.yml
@@ -0,0 +1,39 @@
+name: "Headers: Suspicious or outdated mailer versions"
+description: "Detects emails originating from suspicious, outdated, or uncommon mail client versions that are often associated with malicious activity. This includes obsolete versions of Outlook Express, Zimbra, custom mailers, and clients running on penetration testing platforms like Kali Linux."
+type: "rule"
+severity: "low"
+source: |
+  type.inbound
+  and (
+    strings.contains(headers.mailer, "Microsoft Outlook Express 6.00.2900.2180")
+    or strings.contains(headers.mailer,
+                        "Zimbra 10.1.10_GA_4785 (ZimbraWebClient - GC138 (Win)/10.1.10_GA_4785"
+    )
+    or strings.contains(headers.mailer, "Supmailer 42.0.1")
+    or strings.contains(headers.mailer,
+                        "Zimbra 5.0.16_GA_2921.RHEL4 (zclient/5.0.16_GA_2921.RHEL4"
+    )
+    or strings.contains(headers.mailer, "The Bat! (v3–v4…)")
+    or regex.icontains(headers.mailer, '\bkali[^\s]*\b')
+    or strings.contains(headers.mailer, "Foxmail 7.0.1.92[cn]")
+    or strings.contains(headers.mailer, "FoxMail 3.11 Release [cn]")
+  )
+  // negate highly trusted sender domains unless they fail DMARC authentication
+  and (
+    (
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
+      and not headers.auth_summary.dmarc.pass
+    )
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
+  )
+
+attack_types:
+  - "BEC/Fraud"
+  - "Credential Phishing"
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "Evasion"
+  - "Spoofing"
+detection_methods:
+  - "Header analysis"
+  - "Sender analysis"

From 76080e6f7f32864789fa9d94cd85bd4f6c37534b Mon Sep 17 00:00:00 2001
From: ID Generator <hello@sublimesecurity.com>
Date: Thu, 14 Aug 2025 16:31:36 +0000
Subject: [PATCH 2/2] Auto add rule ID

---
 detection-rules/headers_suspicious_outdated_clients.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/detection-rules/headers_suspicious_outdated_clients.yml b/detection-rules/headers_suspicious_outdated_clients.yml
index 658d1e41082..32bfa04eafb 100644
--- a/detection-rules/headers_suspicious_outdated_clients.yml
+++ b/detection-rules/headers_suspicious_outdated_clients.yml
@@ -37,3 +37,4 @@ tactics_and_techniques:
 detection_methods:
   - "Header analysis"
   - "Sender analysis"
+id: "324ff8f1-d182-5c0b-8565-18b5f22eac42"