-
Notifications
You must be signed in to change notification settings - Fork 50
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
New rule: VIP local_part impersonation from unsolicited sender (#2140)
Co-authored-by: ID Generator <[email protected]> Co-authored-by: Josh Kamdjou <[email protected]>
- Loading branch information
3 people
authored
Nov 20, 2024
1 parent
f081d06
commit a517e57
Showing
1 changed file
with
58 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,58 @@ | ||
| name: "VIP local_part impersonation from unsolicited sender" | ||
| description: "This rule identifies potential impersonation attempts involving the local part of an $org_vip email address. Specifically, it checks for cases where the local part of an $org_vip email (e.g., [email protected]) appears with a different domain (e.g., [email protected]). Additionally, the rule flags messages that match an $org_vip address exactly but fail authentication." | ||
| type: "rule" | ||
| severity: "high" | ||
| source: | | ||
| type.inbound | ||
| and any($org_vips, | ||
| strings.contains(sender.email.local_part, ".") | ||
| and strings.starts_with(.email, sender.email.local_part) | ||
| and ( | ||
| sender.email.email != .email | ||
| or ( | ||
| sender.email.email == .email and not headers.auth_summary.dmarc.pass | ||
| ) | ||
| ) | ||
| ) | ||
| and ( | ||
| // ignore personal <> work emails | ||
| // where the sender and mailbox's display name are the same | ||
| length(recipients.to) > 0 | ||
| or length(recipients.cc) > 0 | ||
| or sender.display_name != mailbox.display_name | ||
| ) | ||
| // bounce-back negations | ||
| and not strings.like(sender.email.local_part, | ||
| "*postmaster*", | ||
| "*mailer-daemon*", | ||
| "*administrator*" | ||
| ) | ||
| // negate org domains unless they fail DMARC authentication | ||
| and ( | ||
| ( | ||
| sender.email.domain.root_domain in $org_domains | ||
| and not headers.auth_summary.dmarc.pass | ||
| ) | ||
| or sender.email.domain.root_domain not in $org_domains | ||
| ) | ||
| // negate highly trusted sender domains unless they fail DMARC authentication | ||
| and ( | ||
| ( | ||
| sender.email.domain.root_domain in $high_trust_sender_root_domains | ||
| and not headers.auth_summary.dmarc.pass | ||
| ) | ||
| or sender.email.domain.root_domain not in $high_trust_sender_root_domains | ||
| ) | ||
| and not profile.by_sender().solicited | ||
| tags: | ||
| - "Attack surface reduction" | ||
| tactics_and_techniques: | ||
| - "Impersonation: VIP" | ||
| - "Spoofing" | ||
| detection_methods: | ||
| - "Header analysis" | ||
| - "Sender analysis" | ||
| id: "74035fdc-78c4-5a29-83d8-c1060ead4e28" |