Suspicious sender display name with long procedurally generated text blob

 1name: "Suspicious sender display name with long procedurally generated text blob"
 2description: "This rule identifies sender display names containing long strings of nonsensical or procedurally generated characters, which are often used in phishing or spam campaigns for campaign tracking and identification, as well as to bypass detection filters."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and regex.icontains(sender.display_name, '\b[\w\p{L}\p{N}]{35,}\b')
 8  and not regex.icontains(sender.display_name, '_bot_[a-f0-9]{32}\)')
 9  and not regex.match(sender.display_name, '\b[\w\p{L}\p{N}]{35,}\b')
10  and not (sender.email.email == "" or sender.email.domain.valid == false)
11  // negate org domains unless they fail DMARC authentication
12  and (
13    (
14      sender.email.domain.root_domain in $org_domains
15      and not headers.auth_summary.dmarc.pass
16    )
17    or sender.email.domain.root_domain not in $org_domains
18  )
19  
20  // negate highly trusted sender domains unless they fail DMARC authentication
21  and (
22    (
23      sender.email.domain.root_domain in $high_trust_sender_root_domains
24      and not headers.auth_summary.dmarc.pass
25    )
26    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
27  )
28  and not profile.by_sender_email().any_false_positives  
29attack_types:
30  - "Credential Phishing"
31tactics_and_techniques:
32  - "Evasion"
33detection_methods:
34  - "Content analysis"
35  - "Sender analysis"
36id: "2a40b043-52dc-59ca-8519-3793e8817d07"