Service Abuse: ExactTarget with suspicious sender indicators

 1name: "Service Abuse: ExactTarget with suspicious sender indicators"
 2description: "Message originates from ExactTarget infrastructure but uses a suspicious sender domain, including overly long salesforce.com domains, awsapps.com domains, domains containing UTF-8 encoding characters, or a suspicious sender display name."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and any(headers.domains, .root_domain == 'exacttarget.com')
 8  and (
 9    (
10      length(sender.email.email) >= 50
11      and sender.email.domain.root_domain == "salesforce.com"
12    )
13    or sender.email.domain.root_domain == "awsapps.com"
14    or strings.icontains(sender.email.domain.domain, '?utf-8')
15    or regex.icontains(sender.display_name,
16                       '.*\|.*(Manager|Careers|Recruitment|Specialist|Global)'
17    )
18  )  
19
20attack_types:
21  - "Credential Phishing"
22  - "BEC/Fraud"
23tactics_and_techniques:
24  - "Evasion"
25  - "Social engineering"
26detection_methods:
27  - "Header analysis"
28  - "Sender analysis"
29id: "6154f197-9543-50d8-af3d-f8a7e1d79cf8"