Lookalike sender domain

calendar Aug 21, 2023  ยท
Share on: linkedin copy

Sender's domain is a lookalike of one of your organization's domains.

Sublime rule (View on GitHub)

 1name: "Lookalike sender domain"
 2description: |
 3    Sender's domain is a lookalike of one of your organization's domains.
 4type: "rule"
 5severity: "high"
 6source: |
 7  type.inbound
 8  and any($org_domains,
 9          // this rule can be duplicated in order to tune the threshold
10          strings.ilevenshtein(sender.email.domain.domain, .) == 1
11  )
12
13  // first-time sender and unsolicited
14  and (
15    (
16      sender.email.domain.root_domain in $free_email_providers
17      and sender.email.email not in $sender_emails
18      and sender.email.email not in $recipient_emails
19    )
20    or (
21      sender.email.domain.root_domain not in $free_email_providers
22      and sender.email.domain.domain not in $sender_domains
23      and sender.email.domain.domain not in $recipient_domains
24    )
25  )  
26attack_types:
27  - "BEC/Fraud"
28  - "Credential Phishing"
29  - "Malware/Ransomware"
30tactics_and_techniques:
31  - "Lookalike domain"
32  - "Social engineering"
33detection_methods:
34  - "Sender analysis"
35id: "67721993-4f5d-575b-970b-3ced67a874fa"
to-top