Spoofable internal domain with suspicious signals

The sender is a known org domain and doesn't use a known org display name. SPF and DMARC verdicts are "none", which means the domain is spoofable. We then look for a combination of other suspicious signals such as a suspicious link or suspicious language.

False Positives may occur with automated sending systems that send rich text emails, in which case we can add additional signals or exclude those.

Sublime rule (View on GitHub)

 1name: "Spoofable internal domain with suspicious signals"
 2description: |
 3  The sender is a known org domain and doesn't use a known org display name.
 4  SPF and DMARC verdicts are "none", which means the domain is spoofable.
 5  We then look for a combination of other suspicious signals such as a suspicious
 6  link or suspicious language.
 7
 8  False Positives may occur with automated sending systems that send rich text emails,
 9  in which case we can add additional signals or exclude those.  
10type: "rule"
11severity: "medium"
12source: |
13  type.inbound
14  and sender.email.domain.domain in $org_domains
15  
16  // doesn't match an org display name (generic)
17  // we could make this more generic later
18  and sender.display_name not in $org_display_names
19  and any(headers.hops,
20  
21          // find the hop Authentication-results for the org domain
22          .authentication_results.dmarc_details.from.domain in $org_domains
23  
24          // internal domain is spoofable
25          and .authentication_results.dmarc == "none"
26          and .authentication_results.spf == "none"
27          and .authentication_results.compauth.verdict not in ("pass", "softpass")
28  )
29  and 3 of (
30    (
31      // low reputation / suspicious link
32      any(body.links,
33          .href_url.domain.root_domain not in $org_domains
34          and (
35            .href_url.domain.root_domain not in $tranco_1m
36            or .href_url.domain.domain in $free_file_hosts
37            or .href_url.domain.root_domain in $free_file_hosts
38            or .href_url.domain.root_domain in $free_subdomain_hosts
39            or .href_url.domain.domain in $url_shorteners
40          )
41      )
42    ),
43    (
44      // sender domain matches no body domains
45      length(body.links) > 0
46      and all(body.links,
47              .href_url.domain.root_domain != sender.email.domain.root_domain
48      )
49    ),
50    (
51      // suspicious domain in headers
52      any(headers.domains,
53          // it's not an org domain
54          .root_domain not in $org_domains
55  
56          // low reputation
57          and .root_domain not in $alexa_1m
58  
59          // no one has sent an email to it before
60          and .root_domain not in $recipient_domains
61      )
62    ),
63    (
64      // suspicious language
65      any(ml.nlu_classifier(body.current_thread.text).intents,
66          .name != "benign" and .confidence == "high"
67      )
68    ),
69    (
70      // suspicious language
71      any(ml.nlu_classifier(coalesce(body.html.display_text, body.plain.raw)).intents,
72          .name != "benign" and .confidence == "high"
73      )
74    ),
75  )  
76
77tags:
78  - "Attack surface reduction"
79attack_types:
80  - "Credential Phishing"
81tactics_and_techniques:
82  - "Free file host"
83  - "Free subdomain host"
84  - "Social engineering"
85  - "Spoofing"
86detection_methods:
87  - "Content analysis"
88  - "Header analysis"
89  - "Natural Language Understanding"
90  - "Sender analysis"
91id: "40089d69-9150-5270-97f1-9f68e4ca9a5a"

Related rules

to-top