Headers: System account impersonation with empty sender address
Detects messages with an empty sender email address and a display name impersonating system accounts like mailer-daemon, postmaster, or administrator, but lacking legitimate bounce back content as determined by natural language processing.
Sublime rule (View on GitHub)
1name: "Headers: System account impersonation with empty sender address"
2description: "Detects messages with an empty sender email address and a display name impersonating system accounts like mailer-daemon, postmaster, or administrator, but lacking legitimate bounce back content as determined by natural language processing."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and sender.email.email == ""
8 and (
9 strings.icontains(sender.display_name, "mailer-daemon")
10 or strings.icontains(sender.display_name, "postmaster")
11 )
12 and not (
13 (
14 any(ml.nlu_classifier(body.current_thread.text).topics,
15 .name == "Bounce Back and Delivery Failure Notifications"
16 and .confidence == "high"
17 )
18 or regex.icontains(subject.subject, 'Undeliver(?:ed|able)')
19 or regex.icontains(subject.subject, 'Mensagem não entregue') // portuguese bounce back variant
20 or regex.icontains(subject.subject, '系统退信') // chinese bounce back variant
21 )
22 )
23
24attack_types:
25 - "BEC/Fraud"
26 - "Credential Phishing"
27tactics_and_techniques:
28 - "Impersonation: Employee"
29 - "Social engineering"
30 - "Spoofing"
31detection_methods:
32 - "Header analysis"
33 - "Sender analysis"
34 - "Natural Language Understanding"
35id: "887f7953-9dbc-5582-a4b6-b5b79cce6744"