Lookalike sender domain (untrusted sender)

Sender's domain is a lookalike of one of your organization's domains and is untrusted.

Sublime rule (View on GitHub)

 1name: "Lookalike sender domain (untrusted sender)"
 2description: |
 3    Sender's domain is a lookalike of one of your organization's domains and is untrusted.
 4type: "rule"
 5severity: "high"
 6source: |
 7  type.inbound
 8  and any($org_domains,
 9          // this rule can be duplicated in order to tune the threshold
10          strings.ilevenshtein(sender.email.domain.domain, .) == 1
11  )
12
13  and (
14    (
15      profile.by_sender().prevalence in ("new", "outlier")
16      and not profile.by_sender().solicited
17    )
18    or (
19      profile.by_sender().any_messages_malicious_or_spam
20      and not profile.by_sender().any_false_positives
21    )
22  )
23
24  // negate highly trusted sender domains unless they fail DMARC authentication
25  and
26  (
27    (
28      sender.email.domain.root_domain in $high_trust_sender_root_domains
29      and (
30        any(distinct(headers.hops, .authentication_results.dmarc is not null),
31            strings.ilike(.authentication_results.dmarc, "*fail")
32        )
33      )
34    )
35    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
36  )
37
38  and not profile.by_sender().any_false_positives  
39attack_types:
40  - "BEC/Fraud"
41  - "Credential Phishing"
42  - "Malware/Ransomware"
43tactics_and_techniques:
44  - "Lookalike domain"
45  - "Social engineering"
46detection_methods:
47  - "Sender analysis"
48id: "67721993-4f5d-575b-970b-3ced67a874fa"
to-top