diff --git a/detection-rules/abuse_exacttarget_sender_domain.yml b/detection-rules/abuse_exacttarget_sender_domain.yml
new file mode 100644
index 00000000000..201c683dfa8
--- /dev/null
+++ b/detection-rules/abuse_exacttarget_sender_domain.yml
@@ -0,0 +1,26 @@
+name: "Service Abuse: ExactTarget with suspicious sender domain"
+description: "Message originates from ExactTarget infrastructure but uses a suspicious sender domain, including overly long salesforce.com domains, awsapps.com domains, or domains containing UTF-8 encoding characters."
+type: "rule"
+severity: "high"
+source: |
+  type.inbound
+  and any(headers.domains, .root_domain == 'exacttarget.com')
+  and (
+    (
+      length(sender.email.domain.domain) >= 50
+      and sender.email.domain.root_domain == "salesforce.com"
+    )
+    or sender.email.domain.root_domain == "awsapps.com"
+    or strings.icontains(sender.email.domain.domain, '?utf-8')
+  )
+
+attack_types:
+  - "Credential Phishing"
+  - "BEC/Fraud"
+tactics_and_techniques:
+  - "Evasion"
+  - "Social engineering"
+detection_methods:
+  - "Header analysis"
+  - "Sender analysis"
+id: "6154f197-9543-50d8-af3d-f8a7e1d79cf8"