Impersonation using recipient domain (first-time sender)
The recipient's domain is used in the sender's display name in order to impersonate the organization. The impersonation has been observed to use both the recipient's full email address, as well as just the domain.
Sublime rule (View on GitHub)
1name: "Impersonation using recipient domain (first-time sender)"
2description: |
3 The recipient's domain is used in the sender's display name
4 in order to impersonate the organization. The impersonation has been
5 observed to use both the recipient's full email address, as well as
6 just the domain.
7type: "rule"
8severity: "medium"
9source: |
10 type.inbound
11
12 // only 1 To: recipient
13 and length(recipients.to) + length(recipients.bcc) + length(recipients.cc) == 1
14 and any(recipients.to,
15 // custom domains only
16 sender.email.domain.domain not in $free_email_providers
17
18 // recipient's domain is in the sender's display name
19 and strings.icontains(sender.display_name, .email.domain.root_domain)
20 )
21
22 and not (
23 (
24 strings.contains(sender.display_name, "on behalf of")
25 and sender.email.domain.root_domain == "microsoftonline.com"
26 )
27 or (
28 strings.contains(sender.display_name, "via TransferXL")
29 and sender.email.domain.root_domain == "transferxl.com"
30 )
31 )
32
33 and all(recipients.to, .email.email != sender.email.email)
34
35 // first-time sender
36 and (
37 (
38 sender.email.domain.root_domain in $free_email_providers
39 and sender.email.email not in $sender_emails
40 )
41 or (
42 sender.email.domain.root_domain not in $free_email_providers
43 and sender.email.domain.domain not in $sender_domains
44 )
45 )
46attack_types:
47 - "Credential Phishing"
48tactics_and_techniques:
49 - "Social engineering"
50detection_methods:
51 - "Header analysis"
52 - "Sender analysis"
53id: "63e5808a-ab9a-5112-bc41-545db8c0afd2"