Impersonation using recipient domain (untrusted sender)

The recipient's domain is used in the sender's display name in order to impersonate the organization. The impersonation has been observed to use both the recipient's full email address, as well as just the domain.

Sublime rule (View on GitHub)

 1name: "Impersonation using recipient domain (untrusted sender)"
 2description: |
 3  The recipient's domain is used in the sender's display name
 4  in order to impersonate the organization. The impersonation has been 
 5  observed to use both the recipient's full email address, as well as 
 6  just the domain.  
 7type: "rule"
 8severity: "medium"
 9source: |
10  type.inbound
11  
12  // only 1 To: recipient
13  and length(recipients.to) + length(recipients.bcc) + length(recipients.cc) == 1
14  and any(recipients.to,
15          // custom domains only
16          sender.email.domain.domain not in $free_email_providers
17  
18          // recipient's domain is in the sender's display name
19          and strings.icontains(sender.display_name, .email.domain.root_domain)
20  )
21  
22  and not (
23    (
24      strings.contains(sender.display_name, "on behalf of")
25      and sender.email.domain.root_domain == "microsoftonline.com"
26    )
27    or (
28      strings.contains(sender.display_name, "via TransferXL")
29      and sender.email.domain.root_domain == "transferxl.com"
30    )
31  )
32  
33  and all(recipients.to, .email.domain.root_domain != sender.email.domain.root_domain)
34  
35  and (
36    profile.by_sender().prevalence in ("new", "outlier")
37    or (
38      profile.by_sender().any_messages_malicious_or_spam
39      and not profile.by_sender().any_false_positives
40    )
41  )
42  
43    // negate highly trusted sender domains unless they fail DMARC authentication
44  and
45  (
46    (
47      sender.email.domain.root_domain in $high_trust_sender_root_domains
48      and (
49        any(distinct(headers.hops, .authentication_results.dmarc is not null),
50            strings.ilike(.authentication_results.dmarc, "*fail")
51        )
52      )
53    )
54    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
55  )
56    
57attack_types:
58  - "Credential Phishing"
59tactics_and_techniques:
60  - "Social engineering"
61detection_methods:
62  - "Header analysis"
63  - "Sender analysis"
64id: "63e5808a-ab9a-5112-bc41-545db8c0afd2"
to-top