Lookalike sender domain (untrusted sender)
Sender's domain is a lookalike of one of your organization's domains and is untrusted.
Sublime rule (View on GitHub)
1name: "Lookalike sender domain (untrusted sender)"
2description: |
3 Sender's domain is a lookalike of one of your organization's domains and is untrusted.
4type: "rule"
5severity: "high"
6source: |
7 type.inbound
8 and any($org_domains,
9 // this rule can be duplicated in order to tune the threshold
10 strings.ilevenshtein(sender.email.domain.domain, .) == 1
11 )
12
13 and (
14 (
15 profile.by_sender().prevalence in ("new", "outlier")
16 and not profile.by_sender().solicited
17 )
18 or (
19 profile.by_sender().any_messages_malicious_or_spam
20 and not profile.by_sender().any_false_positives
21 )
22 )
23
24 // negate highly trusted sender domains unless they fail DMARC authentication
25 and
26 (
27 (
28 sender.email.domain.root_domain in $high_trust_sender_root_domains
29 and (
30 any(distinct(headers.hops, .authentication_results.dmarc is not null),
31 strings.ilike(.authentication_results.dmarc, "*fail")
32 )
33 )
34 )
35 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
36 )
37
38 and not profile.by_sender().any_false_positives
39attack_types:
40 - "BEC/Fraud"
41 - "Credential Phishing"
42 - "Malware/Ransomware"
43tactics_and_techniques:
44 - "Lookalike domain"
45 - "Social engineering"
46detection_methods:
47 - "Sender analysis"
48id: "67721993-4f5d-575b-970b-3ced67a874fa"