Spam: Single recipient duplicated in cc

Detects spam emails where the 'To' and 'CC' fields match, using indicators such as short body length with spam keywords, unsolicited content, dmarc failures, fake threads, and suspicious links.

Sublime rule (View on GitHub)

  1name: "Spam: Single recipient duplicated in cc"
  2description: "Detects spam emails where the 'To' and 'CC' fields match, using indicators such as short body length with spam keywords, unsolicited content, dmarc failures, fake threads, and suspicious links."
  3type: "rule"
  4severity: "medium"
  5source: |
  6  type.inbound
  7  
  8  // one recipient and 1 cc
  9  and length(recipients.to) == 1
 10  and length(recipients.cc) == 1
 11  
 12  // unsolicited
 13  and not profile.by_sender().solicited
 14  
 15  // recipients email matches the cc email
 16  and any(recipients.to, any(recipients.cc, .email.email == ..email.email))
 17  
 18  // body is short with spam keywords
 19  and (
 20    (
 21      length(body.current_thread.text) < 150
 22      and strings.ilike(body.current_thread.text,
 23                        "*congrat*",
 24                        "*win*",
 25                        "*expired*",
 26                        "*subscription*",
 27                        "*won*",
 28                        "*gift*",
 29                        "*CARTE CADEAU*",
 30                        "*Votre chance*",
 31                        "*survey*",
 32                        "*livraison*",
 33                        "*delivery*",
 34                        "*package*"
 35      )
 36    )
 37  
 38    // body is super short
 39    or length(body.current_thread.text) < 10
 40  
 41    // body has no spaces
 42    or regex.imatch(body.current_thread.text, '[^ ]+')
 43  
 44    // subject is null
 45    or subject.subject == ""
 46  
 47    // dmarc failure
 48    or not headers.auth_summary.dmarc.pass
 49  
 50    // or display text contains suspicious terms
 51    or any(body.links,
 52           regex.icontains(.display_text, 'Congrat|Survey|package|delivery|\bclaim\b')
 53           and not .href_url.domain.root_domain == "surveymonkey.com"
 54    )
 55  
 56    // compauth failure
 57    or any(headers.hops,
 58           .authentication_results.compauth.verdict not in ("pass", "softpass", "none")
 59    )
 60  
 61    // all links display text is null or aka.ms
 62    or (
 63      length(filter(body.links,
 64                    (
 65                      (
 66                        .display_text is null
 67                        and .href_url.domain.root_domain != sender.email.domain.root_domain
 68                      )
 69                      or .href_url.domain.root_domain in (
 70                        "aka.ms",
 71                        "mimecast.com",
 72                        "cisco.com"
 73                      )
 74                    )
 75             )
 76      ) == length(body.links)
 77    )
 78    or (
 79      // fake thread check
 80      regex.imatch(subject.subject, '(\[[^\]]+\]\s?){0,3}(re|fwd?)\s?:.*')
 81      and (
 82        (length(headers.references) == 0 and headers.in_reply_to is null)
 83        or not any(headers.hops,
 84                   any(.fields, strings.ilike(.name, "In-Reply-To"))
 85        )
 86      )
 87    )
 88  )  
 89
 90attack_types:
 91  - "Spam"
 92tactics_and_techniques:
 93  - "Impersonation: Brand"
 94  - "Social engineering"
 95detection_methods:
 96  - "Header analysis"
 97  - "Content analysis"
 98  - "URL analysis"
 99  - "Sender analysis"
100id: "387cacc9-c696-5a23-aa9d-5d0aa45082ff"
to-top