Impersonation using recipient domain (untrusted sender)

 1name: "Impersonation using recipient domain (untrusted sender)"
 2description: |
 3  The recipient's domain is used in the sender's display name
 4  in order to impersonate the organization. The impersonation has been 
 5  observed to use both the recipient's full email address, as well as 
 6  just the domain.  
 7type: "rule"
 8severity: "medium"
 9source: |
10  type.inbound
11  
12  // only 1 To: recipient
13  and length(recipients.to) + length(recipients.bcc) + length(recipients.cc) == 1
14  and any(recipients.to,
15          // custom domains only
16          sender.email.domain.domain not in $free_email_providers
17  
18          // recipient's domain is in the sender's display name
19          and strings.icontains(sender.display_name, .email.domain.root_domain)
20  )
21  
22  and not (
23    (
24      strings.contains(sender.display_name, "on behalf of")
25      and sender.email.domain.root_domain == "microsoftonline.com"
26    )
27    or (
28      strings.contains(sender.display_name, "via TransferXL")
29      and sender.email.domain.root_domain == "transferxl.com"
30    )
31  )
32  
33  and all(recipients.to, .email.domain.root_domain != sender.email.domain.root_domain)
34  
35  and (
36    profile.by_sender().prevalence in ("new", "outlier")
37    or (
38      profile.by_sender().any_messages_malicious_or_spam
39      and not profile.by_sender().any_false_positives
40    )
41  )
42  
43  // negate highly trusted sender domains unless they fail DMARC authentication
44  and (
45    (
46      sender.email.domain.root_domain in $high_trust_sender_root_domains
47      and not headers.auth_summary.dmarc.pass
48    )
49    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
50  )
51    
52attack_types:
53  - "Credential Phishing"
54tactics_and_techniques:
55  - "Social engineering"
56detection_methods:
57  - "Header analysis"
58  - "Sender analysis"
59id: "63e5808a-ab9a-5112-bc41-545db8c0afd2"