VIP local_part impersonation from unsolicited sender

calendar Nov 20, 2024 · Attack surface reduction  ·
Share on: linkedin copy

This rule identifies potential impersonation attempts involving the local part of an $org_vip email address. Specifically, it checks for cases where the local part of an $org_vip email (e.g., local_part@domain.com) appears with a different domain (e.g., local_part@foreigndomain.com). Additionally, the rule flags messages that match an $org_vip address exactly but fail authentication.

Sublime rule (View on GitHub)

 1name: "VIP local_part impersonation from unsolicited sender"
 2description: "This rule identifies potential impersonation attempts involving the local part of an $org_vip email address. Specifically, it checks for cases where the local part of an $org_vip email (e.g., local_part@domain.com) appears with a different domain (e.g., local_part@foreigndomain.com). Additionally, the rule flags messages that match an $org_vip address exactly but fail authentication."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and any($org_vips,
 8          strings.contains(sender.email.local_part, ".")
 9          and strings.starts_with(.email, sender.email.local_part)
10          and (
11            sender.email.email != .email
12            or (
13              sender.email.email == .email and not headers.auth_summary.dmarc.pass
14            )
15          )
16  )
17  
18  and (
19    // ignore personal <> work emails
20    // where the sender and mailbox's display name are the same
21    length(recipients.to) > 0
22    or length(recipients.cc) > 0
23    or sender.display_name != mailbox.display_name
24  )
25  // bounce-back negations
26  and not strings.like(sender.email.local_part,
27                       "*postmaster*",
28                       "*mailer-daemon*",
29                       "*administrator*"
30  )
31  
32  // negate org domains unless they fail DMARC authentication
33  and (
34    (
35      sender.email.domain.root_domain in $org_domains
36      and not headers.auth_summary.dmarc.pass
37    )
38    or sender.email.domain.root_domain not in $org_domains
39  )
40  
41  // negate highly trusted sender domains unless they fail DMARC authentication
42  and (
43    (
44      sender.email.domain.root_domain in $high_trust_sender_root_domains
45      and not headers.auth_summary.dmarc.pass
46    )
47    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
48  )
49  and not profile.by_sender().solicited  
50tags:
51  - "Attack surface reduction"
52tactics_and_techniques:
53  - "Impersonation: VIP"
54  - "Spoofing"
55detection_methods:
56  - "Header analysis"
57  - "Sender analysis"
58id: "74035fdc-78c4-5a29-83d8-c1060ead4e28"

Related rules

to-top