Spoofable internal domain with suspicious signals

The sender is a known org domain and doesn't use a known org display name. SPF and DMARC verdicts are "none", which means the domain is spoofable. We then look for a combination of other suspicious signals such as a suspicious link or suspicious language.

False Positives may occur with automated sending systems that send rich text emails, in which case we can add additional signals or exclude those.

Sublime rule (View on GitHub)

 1name: "Spoofable internal domain with suspicious signals"
 2description: |
 3  The sender is a known org domain and doesn't use a known org display name.
 4  SPF and DMARC verdicts are "none", which means the domain is spoofable.
 5  We then look for a combination of other suspicious signals such as a suspicious
 6  link or suspicious language.
 7
 8  False Positives may occur with automated sending systems that send rich text emails,
 9  in which case we can add additional signals or exclude those.  
10type: "rule"
11severity: "medium"
12source: |
13  type.inbound
14  and sender.email.domain.domain in $org_domains
15  
16  // doesn't match an org display name (generic)
17  // we could make this more generic later
18  and sender.display_name not in $org_display_names
19  and any(headers.hops,
20  
21          // find the hop Authentication-results for the org domain
22          .authentication_results.dmarc_details.from.domain in $org_domains
23  
24          // internal domain is spoofable
25          and .authentication_results.dmarc == "none"
26          and .authentication_results.spf == "none"
27          and .authentication_results.compauth.verdict not in ("pass", "softpass")
28  )
29  and 3 of (
30    (
31      // low reputation / suspicious link
32      any(body.links,
33          .href_url.domain.root_domain not in $org_domains
34          and (
35            .href_url.domain.root_domain not in $tranco_1m
36            or .href_url.domain.domain in $free_file_hosts
37            or .href_url.domain.root_domain in $free_file_hosts
38            or .href_url.domain.root_domain in $free_subdomain_hosts
39            or .href_url.domain.domain in $url_shorteners
40            or .href_url.domain.domain in $social_landing_hosts
41          )
42      )
43    ),
44    (
45      // sender domain matches no body domains
46      length(body.links) > 0
47      and all(body.links,
48              .href_url.domain.root_domain != sender.email.domain.root_domain
49      )
50    ),
51    (
52      // suspicious domain in headers
53      any(headers.domains,
54          // it's not an org domain
55          .root_domain not in $org_domains
56  
57          // low reputation
58          and .root_domain not in $alexa_1m
59  
60          // no one has sent an email to it before
61          and .root_domain not in $recipient_domains
62      )
63    ),
64    (
65      // suspicious language
66      any(ml.nlu_classifier(body.current_thread.text).intents,
67          .name != "benign" and .confidence == "high"
68      )
69    ),
70    (
71      // suspicious language
72      any(ml.nlu_classifier(body.current_thread.text).intents,
73          .name != "benign" and .confidence == "high"
74      )
75    ),
76  )  
77
78tags:
79  - "Attack surface reduction"
80attack_types:
81  - "Credential Phishing"
82tactics_and_techniques:
83  - "Free file host"
84  - "Free subdomain host"
85  - "Social engineering"
86  - "Spoofing"
87detection_methods:
88  - "Content analysis"
89  - "Header analysis"
90  - "Natural Language Understanding"
91  - "Sender analysis"
92id: "40089d69-9150-5270-97f1-9f68e4ca9a5a"

Related rules

to-top