VIP local_part impersonation from unsolicited sender

calendar Aug 12, 2025 · Attack surface reduction  ·
Share on: linkedin copy

This rule identifies potential impersonation attempts involving the local part of an $org_vip email address. Specifically, it checks for cases where the local part of an $org_vip email (e.g., local_part@domain.com) appears with a different domain (e.g., local_part@foreigndomain.com). Additionally, the rule flags messages that match an $org_vip address exactly but fail authentication.

Sublime rule (View on GitHub)

 1name: "VIP local_part impersonation from unsolicited sender"
 2description: "This rule identifies potential impersonation attempts involving the local part of an $org_vip email address. Specifically, it checks for cases where the local part of an $org_vip email (e.g., local_part@domain.com) appears with a different domain (e.g., local_part@foreigndomain.com). Additionally, the rule flags messages that match an $org_vip address exactly but fail authentication."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and any($org_vips,
 8          strings.contains(sender.email.local_part, ".")
 9          and strings.starts_with(.email, sender.email.local_part)
10          and (
11            sender.email.email != .email
12            or (
13              sender.email.email == .email and not headers.auth_summary.dmarc.pass
14            )
15          )
16  )
17  and (
18    // ignore personal <> work emails
19    // where the sender and mailbox's display name are the same
20    length(recipients.to) > 0
21    or length(recipients.cc) > 0
22    or sender.display_name != mailbox.display_name
23  )
24  // bounce-back negations
25  and not strings.like(sender.email.local_part,
26                       "*postmaster*",
27                       "*mailer-daemon*",
28                       "*administrator*"
29  )
30  
31  // negate org domains unless they fail DMARC authentication
32  and (
33    (
34      sender.email.domain.root_domain in $org_domains
35      and not headers.auth_summary.dmarc.pass
36    )
37    or sender.email.domain.root_domain not in $org_domains
38  )
39  
40  // negate highly trusted sender domains unless they fail DMARC authentication
41  and (
42    (
43      sender.email.domain.root_domain in $high_trust_sender_root_domains
44      and not headers.auth_summary.dmarc.pass
45    )
46    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
47  )
48  // sender profile
49  and (
50    not profile.by_sender_email().solicited
51    or not profile.by_sender_email().any_messages_benign
52    or (
53      profile.by_sender_email().any_messages_malicious_or_spam
54      and not profile.by_sender_email().any_messages_benign
55    )
56    or (
57      sender.email.domain.domain in $org_domains
58      and not coalesce(headers.auth_summary.dmarc.pass, false)
59    )
60  )  
61tags:
62  - "Attack surface reduction"
63tactics_and_techniques:
64  - "Impersonation: VIP"
65  - "Spoofing"
66detection_methods:
67  - "Header analysis"
68  - "Sender analysis"
69id: "74035fdc-78c4-5a29-83d8-c1060ead4e28"

Related rules

to-top