Lookalike sender domain (untrusted sender)

 1name: "Lookalike sender domain (untrusted sender)"
 2description: |
 3    Sender's domain is a lookalike of one of your organization's domains and is untrusted.
 4type: "rule"
 5severity: "high"
 6source: |
 7  type.inbound
 8  and any($org_domains,
 9          length(sender.email.domain.sld) > 3
10          
11          // this rule can be duplicated in order to tune the threshold
12          and strings.ilevenshtein(sender.email.domain.domain, .) == 1
13          and sender.email.domain.domain not in $org_domains
14  )
15  and (
16    (
17      profile.by_sender().prevalence in ("new", "outlier")
18      and not profile.by_sender().solicited
19    )
20    or (
21      profile.by_sender().any_messages_malicious_or_spam
22      and not profile.by_sender().any_false_positives
23    )
24  )
25  
26  // negate highly trusted sender domains unless they fail DMARC authentication
27  and (
28    (
29      sender.email.domain.root_domain in $high_trust_sender_root_domains
30      and not headers.auth_summary.dmarc.pass
31    )
32    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
33  )
34  and not profile.by_sender().any_false_positives  
35attack_types:
36  - "BEC/Fraud"
37  - "Credential Phishing"
38  - "Malware/Ransomware"
39tactics_and_techniques:
40  - "Lookalike domain"
41  - "Social engineering"
42detection_methods:
43  - "Sender analysis"
44id: "67721993-4f5d-575b-970b-3ced67a874fa"