Headers: System account impersonation with empty sender address

Detects messages with an empty sender email address and a display name impersonating system accounts like mailer-daemon, postmaster, or administrator, but lacking legitimate bounce back content as determined by natural language processing.

Sublime rule (View on GitHub)

 1name: "Headers: System account impersonation with empty sender address"
 2description: "Detects messages with an empty sender email address and a display name impersonating system accounts like mailer-daemon, postmaster, or administrator, but lacking legitimate bounce back content as determined by natural language processing."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and sender.email.email == ""
 8  and (
 9    strings.icontains(sender.display_name, "mailer-daemon")
10    or strings.icontains(sender.display_name, "postmaster")
11  )
12  and not (
13    (
14      any(ml.nlu_classifier(body.current_thread.text).topics,
15          .name == "Bounce Back and Delivery Failure Notifications"
16          and .confidence == "high"
17      )
18      or regex.icontains(subject.subject, 'Undeliver(?:ed|able)')
19      or regex.icontains(subject.subject, 'Mensagem não entregue') // portuguese bounce back variant 
20      or regex.icontains(subject.subject, '系统退信') // chinese bounce back variant 
21    )
22  )
23    
24attack_types:
25  - "BEC/Fraud"
26  - "Credential Phishing"
27tactics_and_techniques:
28  - "Impersonation: Employee"
29  - "Social engineering"
30  - "Spoofing"
31detection_methods:
32  - "Header analysis"
33  - "Sender analysis"
34  - "Natural Language Understanding"
35id: "887f7953-9dbc-5582-a4b6-b5b79cce6744"
to-top