Lookalike sender domain (untrusted sender)

calendar Mar 25, 2026  ยท
Share on: linkedin copy

Sender's domain is a lookalike of one of your organization's domains and is untrusted.

Sublime rule (View on GitHub)

 1name: "Lookalike sender domain (untrusted sender)"
 2description: |
 3    Sender's domain is a lookalike of one of your organization's domains and is untrusted.
 4type: "rule"
 5severity: "high"
 6source: |
 7  type.inbound
 8  and length(sender.email.domain.sld) > 3
 9  and sender.email.domain.domain not in $org_domains
10  and any($org_domains,
11          // this rule can be duplicated in order to tune the threshold
12          strings.ilevenshtein(sender.email.domain.domain, .) == 1
13  )
14  and (
15    (
16      profile.by_sender_email().prevalence in ("new", "outlier")
17      and not profile.by_sender_email().solicited
18    )
19    or (
20      profile.by_sender_email().any_messages_malicious_or_spam
21      and not profile.by_sender_email().any_messages_benign
22    )
23  )
24  
25  // negate highly trusted sender domains unless they fail DMARC authentication
26  and (
27    (
28      sender.email.domain.root_domain in $high_trust_sender_root_domains
29      and not headers.auth_summary.dmarc.pass
30    )
31    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
32  )
33  and not profile.by_sender_email().any_messages_benign  
34attack_types:
35  - "BEC/Fraud"
36  - "Credential Phishing"
37  - "Malware/Ransomware"
38tactics_and_techniques:
39  - "Lookalike domain"
40  - "Social engineering"
41detection_methods:
42  - "Sender analysis"
43id: "67721993-4f5d-575b-970b-3ced67a874fa"
to-top