Impersonation using recipient domain (untrusted sender)

 1name: "Impersonation using recipient domain (untrusted sender)"
 2description: |
 3  The recipient's domain is used in the sender's display name
 4  in order to impersonate the organization. The impersonation has been 
 5  observed to use both the recipient's full email address, as well as 
 6  just the domain.  
 7type: "rule"
 8severity: "medium"
 9source: |
10  type.inbound
11  
12  // only 1 To: recipient
13  and length(recipients.to) + length(recipients.bcc) + length(recipients.cc) == 1
14  and any(recipients.to,
15          // custom domains only
16          sender.email.domain.domain not in $free_email_providers
17  
18          // recipient's domain is in the sender's display name
19          and strings.icontains(sender.display_name, .email.domain.root_domain)
20  )
21  and not (
22    (
23      strings.contains(sender.display_name, "on behalf of")
24      and sender.email.domain.root_domain == "microsoftonline.com"
25    )
26    or (
27      strings.contains(sender.display_name, "via TransferXL")
28      and sender.email.domain.root_domain == "transferxl.com"
29    )
30  )
31  and all(recipients.to,
32          .email.domain.root_domain != sender.email.domain.root_domain
33  )
34  and (
35    profile.by_sender().prevalence in ("new", "outlier")
36    or (
37      profile.by_sender().any_messages_malicious_or_spam
38      and not profile.by_sender().any_messages_benign
39    )
40  )
41  
42  // negate highly trusted sender domains unless they fail DMARC authentication
43  and (
44    (
45      sender.email.domain.root_domain in $high_trust_sender_root_domains
46      and not headers.auth_summary.dmarc.pass
47    )
48    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
49  )  
50attack_types:
51  - "Credential Phishing"
52tactics_and_techniques:
53  - "Social engineering"
54detection_methods:
55  - "Header analysis"
56  - "Sender analysis"
57id: "63e5808a-ab9a-5112-bc41-545db8c0afd2"