[PR sublime-security#3720] added rule: PR# 3720 - Headers: UTF-8 base64 encoded From header

github-actions[bot] · github-actions[bot] · commit 2dc831c64663 · 2026-01-16T21:27:53.000Z
diff --git a/detection-rules/3720_headers_utf8_base64_encoded_from.yml b/detection-rules/3720_headers_utf8_base64_encoded_from.yml
@@ -0,0 +1,30 @@
+name: "PR# 3720 - Headers: UTF-8 base64 encoded From header"
+description: "Message contains a From header that has been encoded using UTF-8 base64 encoding, which may be used to obfuscate sender information or bypass security filters."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and any(headers.hops,
+          any(filter(.fields, .name == "From"),
+              strings.istarts_with(.value, "-=?utf-8?b?")
+          )
+  )
+tags:
+  - "Attack surface reduction"
+  - pr_author_MSAdministrator
+  - created_from_open_prs
+  - rule_status_added
+attack_types:
+  - "BEC/Fraud"
+  - "Credential Phishing"
+  - "Spam"
+tactics_and_techniques:
+  - "Encryption"
+  - "Evasion"
+  - "Spoofing"
+detection_methods:
+  - "Header analysis"
+  - "Sender analysis"
+id: "9bfe94d9-9afe-5360-9a53-bd5099e5a5f5"
+references:
+  - https://github.com/sublime-security/sublime-rules/pull/3720
