This detection rule aims to identify potentially malicious emails that originate from senders using the Russian top-level domain (TLD) '.ru'. Specifically, it targets emails where the return-path header indicates a '.ru' domain but the sender is not from recognized trusted domains such as 'corp.mail.ru' or 'calendar.yandex.ru'. The rule assesses the email sender's profile by checking their message history for signs of unreliability, including whether the sender has a prevalence of new or outlier statuses and has solicited interactions. Furthermore, it considers any messages sent by the profile to have been malicious or spam, given there are no false positives reported by the sender's profile. Detecting such emails is crucial as they can fall under various attack types like Business Email Compromise (BEC), Credential Phishing, and Malware/Ransomware attacks. Along with monitoring header analysis and sender analysis techniques, this rule contributes to reducing the attack surface of email communications.