[PR #3328] added rule: Headers: Kagoya domain in routing

Author: github-actions[bot]

detection-rules/3328_headers_kagoya.yml

@@ -0,0 +1,20 @@
+name: "Headers: Kagoya domain in routing"
+description: "Message contains kagoya.net domain in the email headers, indicating routing through Kagoya Internet Routing services."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and any(headers.domains, .root_domain == "kagoya.net")
+tags:
+ - "Attack surface reduction"
+attack_types:
+  - "Credential Phishing"
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "Evasion"
+detection_methods:
+  - "Header analysis"
+id: "ee2ad621-8573-5eed-a68b-cb3494d5e575"
+og_id: "757dc3e1-7264-5509-9af1-7d44dd2e00d8"
+testing_pr: 3328
+testing_sha: 1aa6df86763fb7570ddff9c168d8481832413ded