[PR #3720] added rule: Headers: UTF-8 base64 encoded From header

github-actions[bot] · github-actions[bot] · commit 3a346d5f177f · 2025-12-30T19:55:56.000Z
diff --git a/detection-rules/3720_headers_utf8_base64_encoded_from.yml b/detection-rules/3720_headers_utf8_base64_encoded_from.yml
@@ -0,0 +1,28 @@
+name: "Headers: UTF-8 base64 encoded From header"
+description: "Message contains a From header that has been encoded using UTF-8 base64 encoding, which may be used to obfuscate sender information or bypass security filters."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and any(headers.hops,
+          any(filter(.fields, .name == "From"),
+              strings.istarts_with(.value, "=?utf-8?b?")
+          )
+  )
+tags:
+  - "Attack surface reduction"
+attack_types:
+  - "BEC/Fraud"
+  - "Credential Phishing"
+  - "Spam"
+tactics_and_techniques:
+  - "Encryption"
+  - "Evasion"
+  - "Spoofing"
+detection_methods:
+  - "Header analysis"
+  - "Sender analysis"
+id: "9bfe94d9-9afe-5360-9a53-bd5099e5a5f5"
+og_id: "601c7b98-c804-58f8-95b2-c02160c8d97b"
+testing_pr: 3720
+testing_sha: feec33149aee6585b2d891bf885ff6e63079080f
