Sender name contains Active Directory distinguished name
Sender's display name contains an Active Directory distinguished name or a similar string. This has been observed as a malicious indicator in the wild.
Sublime rule (View on GitHub)
1name: "Sender name contains Active Directory distinguished name"
2description: |
3 Sender's display name contains an Active Directory distinguished name or a similar string. This has been observed as a malicious indicator in the wild.
4type: "rule"
5severity: "medium"
6source: |
7 type.inbound
8 and regex.icontains(sender.display_name, '\b(EX|LABS|OU|CN|EXCHANGE)(=|/)')
9tags:
10 - "Suspicious sender"
11attack_types:
12 - "Credential Phishing"
13detection_methods:
14 - "Sender analysis"
15id: "4f3c4901-a4ad-509b-ab83-bf3f118a3940"