From 66b6e704e8ab84e05055053ab6a514b34ce3bd98 Mon Sep 17 00:00:00 2001
From: Daniel Bolton <daniel@sublimesecurity.com>
Date: Mon, 3 Nov 2025 14:38:51 -0600
Subject: [PATCH] added mx.google.com to headers.hops.received.server.raw check

---
 detection-rules/asr_suspicious_mailer_gmail.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/detection-rules/asr_suspicious_mailer_gmail.yml b/detection-rules/asr_suspicious_mailer_gmail.yml
index dc7792738b2..fd2802d99a3 100644
--- a/detection-rules/asr_suspicious_mailer_gmail.yml
+++ b/detection-rules/asr_suspicious_mailer_gmail.yml
@@ -13,7 +13,7 @@ source: |
     or any(headers.hops, any(.fields, .value == "Produced By Microsoft MimeOLE"))
   )
   and (
-    any(headers.hops, .index == 0 and .received.server.raw == "smtp.gmail.com")
+    any(headers.hops, .index == 0 and .received.server.raw in ("smtp.gmail.com", "mx.google.com"))
     or headers.return_path.domain.root_domain in ("gmail.com", "googlemail.com")
   )
   and not profile.by_sender().any_messages_benign