Reconnaissance: Large unknown recipient list

Recon messages, a form of deliverability testing, are used to validate whether a recipient address is valid or not, potentially preceding an attack.

There's a large number of recipients that are unknown to the organization, no links or attachments, and a short body and subject from an unknown sender.

Sublime rule (View on GitHub)

 1name: "Reconnaissance: Large unknown recipient list"
 2description: |
 3  Recon messages, a form of deliverability testing, are used to validate whether a recipient address is valid or not, potentially preceding an attack.
 4
 5  There's a large number of recipients that are unknown to the organization, no links or attachments, and a short body and subject from an unknown sender.  
 6type: "rule"
 7severity: "low"
 8source: |
 9  type.inbound
10  and (
11    length(recipients.to) > 10
12    and length(filter(recipients.to,
13                      .email.domain.domain not in $org_domains
14                      and .email.email not in $recipient_emails
15                      and (
16                        .email.domain.valid
17                        or strings.icontains(.display_name, "undisclosed")
18                      )
19               )
20    ) >= 10
21  )
22  and (
23    length(subject.subject) <= 10
24    or subject.subject == body.current_thread.text
25  )
26  and (
27    length(body.links) == 0
28    or length(filter(body.links,
29                     (
30                       .display_text is null
31                       and .display_url.url == sender.email.domain.root_domain
32                     )
33                     or .href_url.domain.domain == "aka.ms"
34                     or network.whois(.display_url.domain).days_old < 30
35              )
36    ) == length(body.links)
37  )
38  and (
39    length(attachments) == 0
40    or (
41      length(attachments) == 1
42      and any(attachments,
43              .file_type in ("pdf", "png", "jpg", "tif", "heif", "doc", "docx")
44              and any(file.explode(.),
45                      length(.scan.ocr.raw) < 20
46                      or length(.scan.strings.strings) == 1
47              )
48      )
49    )
50  )
51  and (body.current_thread.text is null or length(body.current_thread.text) < 50)
52  and profile.by_sender().prevalence != "common"
53  and not profile.by_sender().solicited
54  and not profile.by_sender().any_false_positives
55  
56  // negate highly trusted sender domains unless they fail DMARC authentication
57  and (
58    (
59      sender.email.domain.root_domain in $high_trust_sender_root_domains
60      and not headers.auth_summary.dmarc.pass
61    )
62    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
63  )  
64tags:
65  - "Attack surface reduction"
66  - "Deliverability testing"
67attack_types:
68  - "Reconnaissance"
69detection_methods:
70  - "Content analysis"
71  - "Header analysis"
72  - "Sender analysis"
73id: "24783a28-b6e2-5cca-9f6d-19c2cdfa6a9a"

Related rules

to-top