Detects email messages that contain (anonymous|smtp)fox in the sender email address, X-Authenticated-Sender or X-Sender fields.
This is indicative of messages sourced from an AnonymousFox compromised website.
type.inbound and any(headers.hops, any(.fields, regex.icontains(.name, "X-Authenticated-Sender|X-Sender") and regex.icontains(.value, "(anonymous|smtp)fox-") ) or regex.icontains(sender.email.email, "(anonymous|smtp)fox-") )
Test against your own EMLs or sample data.
Get Started. Today.
Managed or self-managed. No MX changes.