Reconaissance: Large unknown recipient list
Recon messages, a form of deliverability testing, are used to validate whether a recipient address is valid or not, potentially preceding an attack.
There's a large number of recipients that are unknown to the organization, no links or attachments, and a short body and subject from an unknown sender.
Sublime rule (View on GitHub)
1name: "Reconaissance: Large unknown recipient list"
2description: |
3 Recon messages, a form of deliverability testing, are used to validate whether a recipient address is valid or not, potentially preceding an attack.
4
5 There's a large number of recipients that are unknown to the organization, no links or attachments, and a short body and subject from an unknown sender.
6type: "rule"
7severity: "low"
8source: |
9 type.inbound
10 and (
11 length(recipients.to) > 10
12 and length(filter(recipients.to,
13 .email.domain.domain not in $org_domains
14 and .email.email not in $recipient_emails
15 and (.email.domain.valid or strings.icontains(.display_name, "undisclosed"))
16 )
17 ) >= 10
18 )
19 and length(subject.subject) <= 10
20 and length(body.links) == 0
21 and length(attachments) == 0
22 and (body.current_thread.text is null or length(body.current_thread.text) < 50)
23 and profile.by_sender().prevalence != "common"
24 and not profile.by_sender().solicited
25 and not profile.by_sender().any_false_positives
26
27 // negate highly trusted sender domains unless they fail DMARC authentication
28 and (
29 (
30 sender.email.domain.root_domain in $high_trust_sender_root_domains
31 and not headers.auth_summary.dmarc.pass
32 )
33 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
34 )
35tags:
36 - "Attack surface reduction"
37 - "Deliverability testing"
38attack_types:
39 - "Spam"
40detection_methods:
41 - "Content analysis"
42 - "Header analysis"
43 - "Sender analysis"
44id: "24783a28-b6e2-5cca-9f6d-19c2cdfa6a9a"