Service abuse: SurveyMonkey survey from newly registered domain

 1name: "Service abuse: SurveyMonkey survey from newly registered domain"
 2description: "This Attack Surface Reduction (ASR) rule matches on SurveyMonkey Surveys with recently registered reply-to domains."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  
 8  // Legitimate SurveyMonkey sending infratructure
 9  and sender.email.email == "member@surveymonkeyuser.com"
10  and headers.auth_summary.spf.pass
11  and headers.auth_summary.dmarc.pass
12  and any(headers.reply_to, network.whois(.email.domain).days_old < 30)
13  // 
14  // This rule makes use of a beta feature and is subject to change without notice
15  // using the beta feature in custom rules is not suggested until it has been formally released
16  // 
17  
18  // reply-to email address has never been sent an email by the org
19  and not beta.profile.by_reply_to().solicited
20  
21  // do not match if the reply_to address has been observed as a reply_to address
22  // of a message that has been classified as benign
23  and not beta.profile.by_reply_to().any_messages_benign  
24tags:
25 - "Attack surface reduction"
26attack_types:
27  - "Credential Phishing"
28tactics_and_techniques:
29  - "Evasion"
30  - "Free file host"
31  - "Social engineering"
32detection_methods:
33  - "Content analysis"
34  - "Header analysis"
35  - "Sender analysis"
36id: "50a85fa7-c582-5644-b043-28c240d48603"