Reconnaissance: Large unknown recipient list

calendar May 22, 2025 · Attack surface reduction Deliverability testing  ·
Share on: linkedin copy

Recon messages, a form of deliverability testing, are used to validate whether a recipient address is valid or not, potentially preceding an attack.

There's a large number of recipients that are unknown to the organization, no links or attachments, and a short body and subject from an unknown sender.

Sublime rule (View on GitHub)

 1name: "Reconnaissance: Large unknown recipient list"
 2description: |
 3  Recon messages, a form of deliverability testing, are used to validate whether a recipient address is valid or not, potentially preceding an attack.
 4
 5  There's a large number of recipients that are unknown to the organization, no links or attachments, and a short body and subject from an unknown sender.  
 6type: "rule"
 7severity: "low"
 8source: |
 9  type.inbound
10  and (
11    length(recipients.to) > 10
12    and length(filter(recipients.to,
13                      .email.domain.domain not in $org_domains
14                      and .email.email not in $recipient_emails
15                      and (
16                        .email.domain.valid
17                        or strings.icontains(.display_name, "undisclosed")
18                      )
19               )
20    ) >= 10
21  )
22  and (
23    length(subject.subject) <= 10 or subject.subject == body.current_thread.text
24  )
25  and (
26    length(body.links) == 0
27    or length(filter(body.links,
28                     (
29                       .display_text is null
30                       and .display_url.url == sender.email.domain.root_domain
31                     )
32                     or .href_url.domain.domain == "aka.ms"
33                     or network.whois(.display_url.domain).days_old < 30
34              )
35    ) == length(body.links)
36  )
37  and (
38    length(attachments) == 0
39    or (
40      length(attachments) == 1
41      and any(attachments,
42              .file_type in ("pdf", "png", "jpg", "tif", "heif", "doc", "docx")
43              and any(file.explode(.),
44                      length(.scan.ocr.raw) < 20
45                      or length(.scan.strings.strings) == 1
46              )
47      )
48    )
49  )
50  and (
51    body.current_thread.text is null
52    or length(body.current_thread.text) < 50
53    // body length without disclaimer is shorter than 50 characters
54    or (
55      any(map(filter(ml.nlu_classifier(body.current_thread.text).entities,
56                     .name == "disclaimer"
57              ),
58              .text
59          ),
60          (length(body.current_thread.text) - length(.)) < 50
61      )
62    )
63  )
64  and profile.by_sender().prevalence != "common"
65  and not profile.by_sender().solicited
66  and not profile.by_sender().any_false_positives
67  
68  // negate highly trusted sender domains unless they fail DMARC authentication
69  and (
70    (
71      sender.email.domain.root_domain in $high_trust_sender_root_domains
72      and not headers.auth_summary.dmarc.pass
73    )
74    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
75  )  
76tags:
77  - "Attack surface reduction"
78  - "Deliverability testing"
79attack_types:
80  - "Reconnaissance"
81detection_methods:
82  - "Content analysis"
83  - "Header analysis"
84  - "Sender analysis"
85id: "24783a28-b6e2-5cca-9f6d-19c2cdfa6a9a"

Related rules

to-top