VIP local_part impersonation from unsolicited sender
This rule identifies potential impersonation attempts involving the local part of an $org_vip email address. Specifically, it checks for cases where the local part of an $org_vip email (e.g., local_part@domain.com) appears with a different domain (e.g., local_part@foreigndomain.com). Additionally, the rule flags messages that match an $org_vip address exactly but fail authentication.
Sublime rule (View on GitHub)
1name: "VIP local_part impersonation from unsolicited sender"
2description: "This rule identifies potential impersonation attempts involving the local part of an $org_vip email address. Specifically, it checks for cases where the local part of an $org_vip email (e.g., local_part@domain.com) appears with a different domain (e.g., local_part@foreigndomain.com). Additionally, the rule flags messages that match an $org_vip address exactly but fail authentication."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and any($org_vips,
8 strings.contains(sender.email.local_part, ".")
9 and strings.starts_with(.email, sender.email.local_part)
10 and (
11 sender.email.email != .email
12 or (
13 sender.email.email == .email and not headers.auth_summary.dmarc.pass
14 )
15 )
16 )
17 and (
18 // ignore personal <> work emails
19 // where the sender and mailbox's display name are the same
20 length(recipients.to) > 0
21 or length(recipients.cc) > 0
22 or sender.display_name != mailbox.display_name
23 )
24 // bounce-back negations
25 and not strings.like(sender.email.local_part,
26 "*postmaster*",
27 "*mailer-daemon*",
28 "*administrator*"
29 )
30
31 // negate org domains unless they fail DMARC authentication
32 and (
33 (
34 sender.email.domain.root_domain in $org_domains
35 and not headers.auth_summary.dmarc.pass
36 )
37 or sender.email.domain.root_domain not in $org_domains
38 )
39
40 // negate highly trusted sender domains unless they fail DMARC authentication
41 and (
42 (
43 sender.email.domain.root_domain in $high_trust_sender_root_domains
44 and not headers.auth_summary.dmarc.pass
45 )
46 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
47 )
48 // sender profile
49 and (
50 not profile.by_sender_email().solicited
51 or not profile.by_sender_email().any_messages_benign
52 or (
53 profile.by_sender_email().any_messages_malicious_or_spam
54 and not profile.by_sender_email().any_messages_benign
55 )
56 or (
57 sender.email.domain.domain in $org_domains
58 and not coalesce(headers.auth_summary.dmarc.pass, false)
59 )
60 )
61tags:
62 - "Attack surface reduction"
63tactics_and_techniques:
64 - "Impersonation: VIP"
65 - "Spoofing"
66detection_methods:
67 - "Header analysis"
68 - "Sender analysis"
69id: "74035fdc-78c4-5a29-83d8-c1060ead4e28"