Service Abuse: ExactTarget with suspicious sender domain
Message originates from ExactTarget infrastructure but uses a suspicious sender domain, including overly long salesforce.com domains, awsapps.com domains, or domains containing UTF-8 encoding characters.
Sublime rule (View on GitHub)
1name: "Service Abuse: ExactTarget with suspicious sender domain"
2description: "Message originates from ExactTarget infrastructure but uses a suspicious sender domain, including overly long salesforce.com domains, awsapps.com domains, or domains containing UTF-8 encoding characters."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and any(headers.domains, .root_domain == 'exacttarget.com')
8 and (
9 (
10 length(sender.email.domain.domain) >= 50
11 and sender.email.domain.root_domain == "salesforce.com"
12 )
13 or sender.email.domain.root_domain == "awsapps.com"
14 or strings.icontains(sender.email.domain.domain, '?utf-8')
15 )
16
17attack_types:
18 - "Credential Phishing"
19 - "BEC/Fraud"
20tactics_and_techniques:
21 - "Evasion"
22 - "Social engineering"
23detection_methods:
24 - "Header analysis"
25 - "Sender analysis"
26id: "6154f197-9543-50d8-af3d-f8a7e1d79cf8"