Sender name contains Active Directory distinguished name

calendar Nov 13, 2024 · Suspicious sender  ·
Share on: linkedin copy

Sender's display name contains an Active Directory distinguished name or a similar string. This has been observed as a malicious indicator in the wild.

Sublime rule (View on GitHub)

 1name: "Sender name contains Active Directory distinguished name"
 2description: |
 3        Sender's display name contains an Active Directory distinguished name or a similar string. This has been observed as a malicious indicator in the wild.
 4type: "rule"
 5severity: "medium"
 6source: |
 7    type.inbound
 8    and (
 9      regex.icontains(sender.display_name, '\b(EX|LABS|OU|CN|EXCHANGE)(=|/)')
10      or strings.icontains(sender.display_name, "/O=EXCHANGELABS")
11    )
12    and sender.email.domain.root_domain not in $org_domains
13    and not (
14      sender.email.domain.root_domain in ('fnfcorp.com')
15      and headers.auth_summary.dmarc.pass
16    )    
17tags:
18  - "Suspicious sender"
19attack_types:
20  - "Credential Phishing"
21detection_methods:
22  - "Sender analysis"
23id: "4f3c4901-a4ad-509b-ab83-bf3f118a3940"
to-top