Disposable sender email (unsolicited)

Dec 7, 2023 · Attack surface reduction ·

Sender is using a disposable email service and no one in our organization has ever sent them an email.

Sublime rule (View on GitHub)

 1name: "Disposable sender email (unsolicited)"
 2description: |
 3  Sender is using a disposable email service and no one in our organization
 4  has ever sent them an email.  
 5type: "rule"
 6severity: "low"
 7source: |-
 8  type.inbound
 9  and sender.email.domain.root_domain in $disposable_email_providers
10  and sender.email.email not in $recipient_emails  
11tags:
12  - "Attack surface reduction"
13detection_methods:
14  - "Sender analysis"
15id: "5436b3db-3f17-5100-8136-1d03fc221fca"

Related rules

Attachment with encrypted zip (unsolicited)
Attachment: Any HTML file within archive (unsolicited)
Link: Google Translate (unsolicited)
Attachment: Uncommon compressed file
Attachment: RDP Connection file