Display name and subject impersonation using recipient SLD (new sender)

calendar Apr 24, 2024  ยท
Share on: linkedin copy

The recipient domain's SLD is used in the sender's display name and in the subject to impersonate the organization.

Sublime rule (View on GitHub)

 1name: "Display name and subject impersonation using recipient SLD (new sender)"
 2description: |
 3  The recipient domain's SLD is used in the sender's display name
 4  and in the subject to impersonate the organization.   
 5type: "rule"
 6severity: "medium"
 7source: |
 8  type.inbound
 9  and (
10    // recipient SLD is being impersonated in the subject + display name
11    (
12      // these are usually targeted with just 1 recipient,
13      // but sometimes they CC themselves or have a blank CC
14      (
15        length(recipients.to) + length(recipients.cc) + length(recipients.bcc) <= 2
16      )
17      and any(recipients.to,
18              length(.email.domain.sld) >= 4
19              // ensure that we're checking the org SLD
20              and .email.domain.sld in $org_slds
21              and strings.icontains(subject.subject, .email.domain.sld)
22              and strings.icontains(sender.display_name, .email.domain.sld)
23      )
24    )
25    or (
26      // accounts for BCC'd messages where the recipients are empty
27      // if BCC, sometimes the recipient will be the attacker's email
28      (
29        length(recipients.to) + length(recipients.cc) + length(recipients.bcc) <= 2
30      )
31      and length(mailbox.email.domain.sld) >= 4
32      and strings.icontains(subject.subject, mailbox.email.domain.sld)
33      and strings.icontains(sender.display_name, mailbox.email.domain.sld)
34    )
35  )
36  and (
37    // at least 1 link or non-image attachment
38    (
39      length(body.links) > 0
40      // these attacks all use compromosed senders, so we look for a domain
41      // that doesn't match the sender's domain to weed out legit messages
42      and any(body.links,
43              .href_url.domain.root_domain != sender.email.domain.root_domain
44      )
45    )
46    or length(filter(attachments, .file_type not in $file_types_images)) > 0
47  )
48  and not (
49    strings.contains(sender.display_name, "on behalf of")
50    and sender.email.domain.root_domain == "microsoftonline.com"
51  )
52  and all(recipients.to, .email.email != sender.email.email)
53  
54  // negate org domain senders, which can often be misconfigured and fail
55  // authentication, causing them to be type.inbound instead of type.internal.
56  // this is fine because we should catch spoofs in other ways.
57  // also, we use root_domain here to account for subdomains used by internal tools that aren't connected to the tenant.
58  // this should also be safe because domains like onmicrosoft[.]com are tracked as FQDNs in $org_domains, so they won't match
59  and sender.email.domain.root_domain not in $org_domains
60  
61  // negate highly trusted sender domains unless they fail DMARC authentication
62  and (
63    (
64      sender.email.domain.root_domain in $high_trust_sender_root_domains
65      and not headers.auth_summary.dmarc.pass
66    )
67    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
68  )
69  and (
70    not profile.by_sender().solicited
71    or (
72      profile.by_sender().any_messages_malicious_or_spam
73      and not profile.by_sender().any_false_positives
74    )
75  )
76  and not profile.by_sender().any_false_positives  
77
78attack_types:
79  - "Credential Phishing"
80tactics_and_techniques:
81  - "Social engineering"
82detection_methods:
83  - "Header analysis"
84  - "Sender analysis"
85id: "cb2b3ed3-268f-5753-9d2b-194d2ee1ed2e"
to-top