From 4ab6a3c2a9b650f7fe11eb815f0889b1d50305ba Mon Sep 17 00:00:00 2001
From: "detections-ai[bot]"
 <222691694+detections-ai[bot]@users.noreply.github.com>
Date: Mon, 9 Feb 2026 16:23:03 +0000
Subject: [PATCH] Update file at /KQL/hunting-paypal-dkim-replay-attacks.kql

---
 KQL/hunting-paypal-dkim-replay-attacks.kql | 14 ++++++++++++++
 1 file changed, 14 insertions(+)
 create mode 100644 KQL/hunting-paypal-dkim-replay-attacks.kql

diff --git a/KQL/hunting-paypal-dkim-replay-attacks.kql b/KQL/hunting-paypal-dkim-replay-attacks.kql
new file mode 100644
index 0000000..4963602
--- /dev/null
+++ b/KQL/hunting-paypal-dkim-replay-attacks.kql
@@ -0,0 +1,14 @@
+EmailEvents
+| where Timestamp > ago(1h)
+| where SenderFromAddress == "service@paypal.com"
+| where parse_json(AuthenticationDetails).DKIM == "pass" and 
+parse_json(AuthenticationDetails).DMARC == "pass"
+| where not (ipv4_is_in_range(SenderIPv4,"64.4.240.0/21") or
+ipv4_is_in_range(SenderIPv4,"64.4.248.0/22") or
+ipv4_is_in_range(SenderIPv4,"66.211.168.0/22") or
+ipv4_is_in_range(SenderIPv4,"91.243.72.0/23") or
+ipv4_is_in_range(SenderIPv4,"173.0.80.0/20") or
+ipv4_is_in_range(SenderIPv4,"185.177.52.0/22") or
+ipv4_is_in_range(SenderIPv4,"192.160.215.0/24") or
+ipv4_is_in_range(SenderIPv4,"198.54.216.0/23"))
+| where EmailDirection == "Inbound" and DeliveryAction != "Blocked"
\ No newline at end of file