Sender name contains Active Directory distinguished name

Dec 26, 2023 · Suspicious sender ·

Sender's display name contains an Active Directory distinguished name or a similar string. This has been observed as a malicious indicator in the wild.

Sublime rule (View on GitHub)

 1name: "Sender name contains Active Directory distinguished name"
 2description: |
 3        Sender's display name contains an Active Directory distinguished name or a similar string. This has been observed as a malicious indicator in the wild.
 4type: "rule"
 5severity: "medium"
 6source: |
 7  type.inbound
 8  and regex.icontains(sender.display_name, '\b(EX|LABS|OU|CN|EXCHANGE)(=|/)')  
 9tags:
10  - "Suspicious sender"
11attack_types:
12  - "Credential Phishing"
13detection_methods:
14  - "Sender analysis"
15id: "4f3c4901-a4ad-509b-ab83-bf3f118a3940"