Reconnaissance: All recipients cc/bcc'd or undisclosed
Recon messages, a form of deliverability testing, are used to validate whether a recipient address is valid or not, potentially preceding an attack.
All recipients are bcc'd or undisclosed, with no links or attachments, and a short body and subject from an unknown sender.
Sublime rule (View on GitHub)
1name: "Reconnaissance: All recipients cc/bcc'd or undisclosed"
2description: |
3 Recon messages, a form of deliverability testing, are used to validate whether a recipient address is valid or not, potentially preceding an attack.
4
5 All recipients are bcc'd or undisclosed, with no links or attachments, and a short body and subject from an unknown sender.
6type: "rule"
7severity: "low"
8source: |
9 type.inbound
10 and (
11 length(recipients.bcc) > 0
12 or length(recipients.cc) > 0
13 or any(recipients.to, strings.ilike(.display_name, "undisclosed?recipients"))
14 )
15 and (
16 length(subject.base) <= 10
17 or (
18 strings.ilike(subject.base, "*checking*", "*testing*")
19 and length(subject.base) <= 25
20 )
21 )
22 and length(attachments) == 0
23 // and there are no links. Or all the links are to aka.ms or an extraction from a warning banner that match the senders domain
24 and (
25 length(body.links) == 0
26 or length(filter(body.links,
27 (
28 .display_text is null
29 and .display_url.url == sender.email.domain.root_domain
30 )
31 or .href_url.domain.domain == "aka.ms"
32 )
33 ) == length(body.links)
34 )
35 and (
36 body.current_thread.text is null
37 or length(body.current_thread.text) < 50
38 or (
39 length(body.current_thread.text) < 900
40 // or body is most likely all warning banner ending with a generic greeting
41 and regex.imatch(body.current_thread.text, '.*(hi|hello)')
42 )
43 // body length without disclaimer is shorter than 50 characters
44 or (
45 any(map(filter(ml.nlu_classifier(body.current_thread.text).entities,
46 .name == "disclaimer"
47 ),
48 .text
49 ),
50 (length(body.current_thread.text) - length(.)) < 50
51 )
52 )
53 )
54 and profile.by_sender().prevalence != "common"
55 and not profile.by_sender().solicited
56 and not profile.by_sender().any_messages_benign
57
58 // negate highly trusted sender domains unless they fail DMARC authentication
59 and (
60 (
61 sender.email.domain.root_domain in $high_trust_sender_root_domains
62 and not headers.auth_summary.dmarc.pass
63 )
64 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
65 )
66
67tags:
68 - "Attack surface reduction"
69 - "Deliverability testing"
70attack_types:
71 - "Reconnaissance"
72detection_methods:
73 - "Content analysis"
74 - "Header analysis"
75 - "Sender analysis"
76id: "420f60d3-5d10-5384-9253-9521a758e799"