Reconaissance: Large unknown recipient list

Recon messages, a form of deliverability testing, are used to validate whether a recipient address is valid or not, potentially preceding an attack.

There's a large number of recipients that are unknown to the organization, no links or attachments, and a short body and subject from an unknown sender.

Sublime rule (View on GitHub)

 1name: "Reconaissance: Large unknown recipient list"
 2description: |
 3  Recon messages, a form of deliverability testing, are used to validate whether a recipient address is valid or not, potentially preceding an attack.
 4
 5  There's a large number of recipients that are unknown to the organization, no links or attachments, and a short body and subject from an unknown sender.  
 6type: "rule"
 7severity: "low"
 8source: |
 9  type.inbound
10  and (
11    length(recipients.to) > 10
12    and length(filter(recipients.to,
13                      .email.domain.domain not in $org_domains
14                      and .email.email not in $recipient_emails
15                      and (.email.domain.valid or strings.icontains(.display_name, "undisclosed"))
16               )
17    ) >= 10
18  )
19  and length(subject.subject) <= 10
20  and length(body.links) == 0
21  and length(attachments) == 0
22  and (body.current_thread.text is null or length(body.current_thread.text) < 50)
23  and profile.by_sender().prevalence != "common"
24  and not profile.by_sender().solicited
25  and not profile.by_sender().any_false_positives
26
27  // negate highly trusted sender domains unless they fail DMARC authentication
28  and (
29    (
30      sender.email.domain.root_domain in $high_trust_sender_root_domains
31      and (
32        any(distinct(headers.hops, .authentication_results.dmarc is not null),
33            strings.ilike(.authentication_results.dmarc, "*fail")
34        )
35      )
36    )
37    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
38  )  
39tags:
40  - "Attack surface reduction"
41  - "Deliverability testing"
42attack_types:
43  - "Spam"
44detection_methods:
45  - "Content analysis"
46  - "Header analysis"
47  - "Sender analysis"
48id: "24783a28-b6e2-5cca-9f6d-19c2cdfa6a9a"

Related rules

to-top