Reconaissance: All recipients bcc'd or undisclosed
Recon messages, a form of deliverability testing, are used to validate whether a recipient address is valid or not, potentially preceding an attack.
All recipients are bcc'd or undisclosed, with no links or attachments, and a short body and subject from an unknown sender.
Sublime rule (View on GitHub)
1name: "Reconaissance: All recipients bcc'd or undisclosed"
2description: |
3 Recon messages, a form of deliverability testing, are used to validate whether a recipient address is valid or not, potentially preceding an attack.
4
5 All recipients are bcc'd or undisclosed, with no links or attachments, and a short body and subject from an unknown sender.
6type: "rule"
7severity: "low"
8source: |
9 type.inbound
10 and (
11 length(recipients.bcc) > 0
12 or any(recipients.to, strings.ilike(.display_name, "undisclosed?recipients"))
13 )
14 and length(subject.subject) <= 10
15 and length(attachments) == 0
16 // and there are no links. Or all the links are to aka.ms or an extraction from a warning banner that match the senders domain
17 and (
18 length(body.links) == 0
19 or length(filter(body.links,
20 (
21 .display_text is null
22 and .display_url.url == sender.email.domain.root_domain
23 )
24 or .href_url.domain.domain == "aka.ms"
25 )
26 ) == length(body.links)
27 )
28 and (
29 body.current_thread.text is null
30 or length(body.current_thread.text) < 50
31 or (
32 length(body.current_thread.text) < 900
33 // or body is most likely all warning banner ending with a generic greeting
34 and regex.imatch(body.current_thread.text, '.*(hi|hello)')
35 )
36 )
37 and profile.by_sender().prevalence != "common"
38 and not profile.by_sender().solicited
39 and not profile.by_sender().any_false_positives
40
41 // negate highly trusted sender domains unless they fail DMARC authentication
42 and (
43 (
44 sender.email.domain.root_domain in $high_trust_sender_root_domains
45 and not headers.auth_summary.dmarc.pass
46 )
47 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
48 )
49
50tags:
51 - "Attack surface reduction"
52 - "Deliverability testing"
53attack_types:
54 - "Spam"
55detection_methods:
56 - "Content analysis"
57 - "Header analysis"
58 - "Sender analysis"
59id: "420f60d3-5d10-5384-9253-9521a758e799"