Email headers are metadata within a raw message that contain information like the path the message took from source to destination, authentication results, originating mail client, and more. Often we can use information from within the headers to signature an attacker or attack type.
To see how headers are parsed and normalized on the MDM, see the Message Data Model reference.
Each mail server a message traverses is called a "mail hop." In the MDM, each hop is stored in the
headers.hops list. Within each hop, Sublime further normalizes common header values into structured objects like
received_spf, and more.
Header values like ‘Authentication-Results’ and ‘ARC-Authentication-Results’ are all normalized into the
authentication_results MDM object within the
headers.hops list. This MQL snippet will return
true whenever there's a DMARC "fail":
any(headers.hops, .authentication_results.dmarc =~ "fail")
Raw header values are stored within each
hop object on the MDM, with their order preserved. This MQL snippet will return true whenever there's a header field by the name (case insensitive) "Received-SPF" and the value containing "spf=temperror".
any(headers.hops, any(.fields, .name =~ "Received-SPF") and strings.ilike(.value, "*spf=temperror*")))
Updated 7 months ago