Inbound Message from Popular Service Via Newly Observed Distribution List
Detects when a message comes through a distribution list by matching on return paths containing Sender Rewrite Scheme (SRS) from a previously unknown domain sender to a single recipient who has never interacted with the organization. This method has been observed being abused by threat actors to deliver callback phishing.
Sublime rule (View on GitHub)
1name: "Inbound Message from Popular Service Via Newly Observed Distribution List"
2description: "Detects when a message comes through a distribution list by matching on return paths containing Sender Rewrite Scheme (SRS) from a previously unknown domain sender to a single recipient who has never interacted with the organization. This method has been observed being abused by threat actors to deliver callback phishing."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and length(recipients.to) == 1
8 and length(recipients.bcc) == 0
9 // abuse involves a popular service
10 and sender.email.domain.root_domain in $tranco_50k
11
12 // message is not from a free mail provider, we have only observed sevice providers abused
13 and sender.email.domain.root_domain not in $free_email_providers
14 and sender.email.domain.domain not in $free_email_providers
15 and not any(recipients.to, .email.email =~ sender.email.email)
16
17 // uses Sender Rewrite Scheme indicating the message traversed a distribtion list or other automatic relay
18 and (
19 strings.icontains(headers.return_path.local_part, "+SRS=")
20 // when the receipient is a group controlled by the final recipient
21 // the return_path header can be overwritten
22 // check the SPF designator for evidence of SRS
23 or strings.icontains(headers.auth_summary.spf.details.designator, "+SRS=")
24 or any(headers.hops,
25 strings.icontains(.authentication_results.spf_details.designator,
26 '+SRS='
27 )
28 )
29 )
30 // the sender and recipient is not in $org_domains
31 and sender.email.domain.domain not in $org_domains
32 // the recipient has never sent an email to the org
33 and all(recipients.to,
34 .email.domain.domain not in $org_domains
35 // ensure the recipient domain has never send/received an email to/from the org
36 and (
37 (
38 // use the domain only if the sender domain is not within free_email_providers
39 .email.domain.domain not in $free_email_providers
40 and .email.domain.root_domain not in $free_email_providers
41 and .email.domain.domain not in $sender_domains
42 and .email.domain.root_domain not in $sender_domains
43 and .email.domain.domain not in $recipient_domains
44 and .email.domain.root_domain not in $recipient_domains
45 )
46 or (
47 // use the email address the sender domain is within free_email_providers
48 (
49 .email.domain.domain in $free_email_providers
50 or .email.domain.root_domain in $free_email_providers
51 )
52 and .email.email not in $sender_emails
53 and .email.email not in $recipient_emails
54 )
55 or (
56 .email.domain.root_domain in ("onmicrosoft.com")
57 // negate onmicrosoft domains within org_domains
58 and not .email.domain.domain in $org_domains
59 )
60 )
61 )
62 // if there are reply-to addresses, ensure they are also not assoicated with the org
63 and all(headers.reply_to,
64 .email.domain.domain not in $org_domains
65 and .display_name not in $org_display_names
66 )
67
68 // check the return path to ensure it's not related to our sender or the mailbox at all
69 and not strings.iends_with(headers.return_path.local_part,
70 strings.concat('@', sender.email.domain.domain)
71 )
72 and not strings.icontains(headers.return_path.local_part,
73 mailbox.email.local_part
74 )
75
76 // not an inbox rule or automatic forward from a Microsoft Account
77 and not any(headers.hops,
78 any(.fields,
79 .name in~ (
80 'X-MS-Exchange-ForwardingLoop',
81 'X-MS-Exchange-Inbox-Rules-Loop'
82 )
83 )
84 )
85attack_types:
86 - "Callback Phishing"
87tactics_and_techniques:
88 - "Evasion"
89 - "Social engineering"
90detection_methods:
91 - "Header analysis"
92 - "Sender analysis"
93id: "8f4bc148-a6b3-5dc4-9d2b-893c38c86c48"