Spoofable internal domain with suspicious signals
The sender is a known org domain and doesn't use a known org display name. SPF and DMARC verdicts are "none", which means the domain is spoofable. We then look for a combination of other suspicious signals such as a suspicious link or suspicious language.
False Positives may occur with automated sending systems that send rich text emails, in which case we can add additional signals or exclude those.
Sublime rule (View on GitHub)
1name: "Spoofable internal domain with suspicious signals"
2description: |
3 The sender is a known org domain and doesn't use a known org display name.
4 SPF and DMARC verdicts are "none", which means the domain is spoofable.
5 We then look for a combination of other suspicious signals such as a suspicious
6 link or suspicious language.
7
8 False Positives may occur with automated sending systems that send rich text emails,
9 in which case we can add additional signals or exclude those.
10type: "rule"
11severity: "medium"
12source: |
13 type.inbound
14 and sender.email.domain.domain in $org_domains
15
16 // doesn't match an org display name (generic)
17 // we could make this more generic later
18 and sender.display_name not in $org_display_names
19 and any(headers.hops,
20
21 // find the hop Authentication-results for the org domain
22 .authentication_results.dmarc_details.from.domain in $org_domains
23
24 // internal domain is spoofable
25 and .authentication_results.dmarc == "none"
26 and .authentication_results.spf == "none"
27 and .authentication_results.compauth.verdict not in ("pass", "softpass")
28 )
29 and 3 of (
30 (
31 // low reputation / suspicious link
32 any(body.links,
33 .href_url.domain.root_domain not in $org_domains
34 and (
35 .href_url.domain.root_domain not in $tranco_1m
36 or .href_url.domain.domain in $free_file_hosts
37 or .href_url.domain.root_domain in $free_file_hosts
38 or .href_url.domain.root_domain in $free_subdomain_hosts
39 or .href_url.domain.domain in $url_shorteners
40 )
41 )
42 ),
43 (
44 // sender domain matches no body domains
45 length(body.links) > 0
46 and all(body.links,
47 .href_url.domain.root_domain != sender.email.domain.root_domain
48 )
49 ),
50 (
51 // suspicious domain in headers
52 any(headers.domains,
53 // it's not an org domain
54 .root_domain not in $org_domains
55
56 // low reputation
57 and .root_domain not in $alexa_1m
58
59 // no one has sent an email to it before
60 and .root_domain not in $recipient_domains
61 )
62 ),
63 (
64 // suspicious language
65 any(ml.nlu_classifier(body.current_thread.text).intents,
66 .name != "benign" and .confidence == "high"
67 )
68 ),
69 (
70 // suspicious language
71 any(ml.nlu_classifier(body.current_thread.text).intents,
72 .name != "benign" and .confidence == "high"
73 )
74 ),
75 )
76
77tags:
78 - "Attack surface reduction"
79attack_types:
80 - "Credential Phishing"
81tactics_and_techniques:
82 - "Free file host"
83 - "Free subdomain host"
84 - "Social engineering"
85 - "Spoofing"
86detection_methods:
87 - "Content analysis"
88 - "Header analysis"
89 - "Natural Language Understanding"
90 - "Sender analysis"
91id: "40089d69-9150-5270-97f1-9f68e4ca9a5a"