Reconaissance: All recipients bcc'd or undisclosed

Recon messages, a form of deliverability testing, are used to validate whether a recipient address is valid or not, potentially preceding an attack.

All recipients are bcc'd or undisclosed, with no links or attachments, and a short body and subject from an unknown sender.

Sublime rule (View on GitHub)

 1name: "Reconaissance: All recipients bcc'd or undisclosed"
 2description: |
 3  Recon messages, a form of deliverability testing, are used to validate whether a recipient address is valid or not, potentially preceding an attack.
 4
 5  All recipients are bcc'd or undisclosed, with no links or attachments, and a short body and subject from an unknown sender.  
 6type: "rule"
 7severity: "low"
 8source: |
 9  type.inbound
10  and (
11    length(recipients.bcc) > 0
12    or any(recipients.to, strings.ilike(.display_name, "undisclosed?recipients"))
13  )
14  and length(subject.subject) <= 10
15  and length(attachments) == 0
16  // and there are no links. Or all the links are to aka.ms or an extraction from a warning banner that match the senders domain
17  and (
18    length(body.links) == 0
19    or length(filter(body.links,
20                     (
21                       .display_text is null
22                       and .display_url.url == sender.email.domain.root_domain
23                     )
24                     or .href_url.domain.domain == "aka.ms"
25              )
26    ) == length(body.links)
27  )
28  and (
29    body.current_thread.text is null
30    or length(body.current_thread.text) < 50
31    or (
32      length(body.current_thread.text) < 900
33      // or body is most likely all warning banner ending with a generic greeting
34      and regex.imatch(body.current_thread.text, '.*(hi|hello)')
35    )
36  )
37  and profile.by_sender().prevalence != "common"
38  and not profile.by_sender().solicited
39  and not profile.by_sender().any_false_positives
40  
41  // negate highly trusted sender domains unless they fail DMARC authentication
42  and (
43    (
44      sender.email.domain.root_domain in $high_trust_sender_root_domains
45      and (
46        any(distinct(headers.hops, .authentication_results.dmarc is not null),
47            strings.ilike(.authentication_results.dmarc, "*fail")
48        )
49      )
50    )
51    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
52  )  
53
54tags:
55  - "Attack surface reduction"
56  - "Deliverability testing"
57attack_types:
58  - "Spam"
59detection_methods:
60  - "Content analysis"
61  - "Header analysis"
62  - "Sender analysis"
63id: "420f60d3-5d10-5384-9253-9521a758e799"

Related rules

to-top