From c7d57a25fed987148dd3f5ae22af5f00e9301e96 Mon Sep 17 00:00:00 2001
From: Mark Morris <mark.m@sublimesecurity.com>
Date: Tue, 30 Sep 2025 20:14:37 -0400
Subject: [PATCH 1/2] Create headers_kagoya.yml

---
 detection-rules/headers_kagoya.yml | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)
 create mode 100644 detection-rules/headers_kagoya.yml

diff --git a/detection-rules/headers_kagoya.yml b/detection-rules/headers_kagoya.yml
new file mode 100644
index 00000000000..6cac804757d
--- /dev/null
+++ b/detection-rules/headers_kagoya.yml
@@ -0,0 +1,16 @@
+name: "Headers: Kagoya domain in routing"
+description: "Message contains kagoya.net domain in the email headers, indicating routing through Kagoya Internet Routing services."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and any(headers.domains, .root_domain == "kagoya.net")
+tags:
+ - "Attack surface reduction"
+attack_types:
+  - "Credential Phishing"
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "Evasion"
+detection_methods:
+  - "Header analysis"

From 1aa6df86763fb7570ddff9c168d8481832413ded Mon Sep 17 00:00:00 2001
From: ID Generator <hello@sublimesecurity.com>
Date: Wed, 1 Oct 2025 00:16:12 +0000
Subject: [PATCH 2/2] Auto add rule ID

---
 detection-rules/headers_kagoya.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/detection-rules/headers_kagoya.yml b/detection-rules/headers_kagoya.yml
index 6cac804757d..a30f3b5a2f5 100644
--- a/detection-rules/headers_kagoya.yml
+++ b/detection-rules/headers_kagoya.yml
@@ -14,3 +14,4 @@ tactics_and_techniques:
   - "Evasion"
 detection_methods:
   - "Header analysis"
+id: "757dc3e1-7264-5509-9af1-7d44dd2e00d8"