Unusually Long Local Part From Untrusted Sender Address

 1name: "Unusually Long Local Part From Untrusted Sender Address"
 2description: "Detects messages with unusually long local address parts (before the @) from senders outside trusted domains and without verified authentication."
 3type: "rule"
 4severity: "low"
 5source: |
 6  // max length of the local_part for exchange is 315
 7  // https://learn.microsoft.com/en-us/exchange/mail-flow/mail-routing/recipient-resolution?view=exchserver-2019&viewFallbackFrom=exchonline-ww
 8  100 < length(sender.email.local_part)
 9  // not org_domains
10  and not (
11    sender.email.domain.root_domain in $org_domains
12    and headers.auth_summary.dmarc.pass
13  )
14  // negate highly trusted sender domains unless they fail DMARC authentication
15  and not (
16    sender.email.domain.root_domain in $high_trust_sender_root_domains
17    and headers.auth_summary.dmarc.pass
18  )
19  // remove common senders, unless marked malicious
20  and not (
21    profile.by_sender_email().prevalence == "common"
22    and profile.by_sender_email().any_messages_malicious_or_spam == false
23  )
24  // a common observed benign cases of this due to Internet Mail Connector Encapsulated Address (IMCEA)
25  and not strings.istarts_with(sender.email.local_part, 'imcea')
26  // no previous false positives on this specific sender
27  and not profile.by_sender_email().any_false_positives  
28tags:
29 - "Attack surface reduction"
30attack_types:
31  - "Credential Phishing"
32  - "Spam"
33tactics_and_techniques:
34  - "Evasion"
35detection_methods:
36  - "Header analysis"
37  - "Sender analysis"
38id: "91a9cd45-41a9-51b9-9207-ded98d398d70"