Service Abuse: ExactTarget with suspicious sender domain

Message originates from ExactTarget infrastructure but uses a suspicious sender domain, including overly long salesforce.com domains, awsapps.com domains, or domains containing UTF-8 encoding characters.

Sublime rule (View on GitHub)

 1name: "Service Abuse: ExactTarget with suspicious sender domain"
 2description: "Message originates from ExactTarget infrastructure but uses a suspicious sender domain, including overly long salesforce.com domains, awsapps.com domains, or domains containing UTF-8 encoding characters."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and any(headers.domains, .root_domain == 'exacttarget.com')
 8  and (
 9    (
10      length(sender.email.domain.domain) >= 50
11      and sender.email.domain.root_domain == "salesforce.com"
12    )
13    or sender.email.domain.root_domain == "awsapps.com"
14    or strings.icontains(sender.email.domain.domain, '?utf-8')
15  )  
16
17attack_types:
18  - "Credential Phishing"
19  - "BEC/Fraud"
20tactics_and_techniques:
21  - "Evasion"
22  - "Social engineering"
23detection_methods:
24  - "Header analysis"
25  - "Sender analysis"
26id: "6154f197-9543-50d8-af3d-f8a7e1d79cf8"
to-top