EXPLORE
Sign In
← Back to Explore
sublimemediumRule

Suspicious sender display name with long procedurally generated text blob

This rule identifies sender display names containing long strings of nonsensical or procedurally generated characters, which are often used in phishing or spam campaigns for campaign tracking and identification, as well as to bypass detection filters.

MITRE ATT&CK

T1566T1566.001T1566.002T1598T1036T1027
defense-evasion

Detection Query

type.inbound
and regex.icontains(sender.display_name, '\b[\w\p{L}\p{N}]{35,}\b')
and not regex.icontains(sender.display_name, '_bot_[a-f0-9]{32}\)')
and not regex.match(sender.display_name, '\b[\w\p{L}\p{N}]{35,}\b')
and not (sender.email.email == "" or sender.email.domain.valid == false)
// negate org domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $org_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $org_domains
)

// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and not profile.by_sender_email().any_messages_benign

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Suspicious sender display name with long procedurally generated text blob"
description: "This rule identifies sender display names containing long strings of nonsensical or procedurally generated characters, which are often used in phishing or spam campaigns for campaign tracking and identification, as well as to bypass detection filters."
type: "rule"
severity: "medium"
source: |
  type.inbound
  and regex.icontains(sender.display_name, '\b[\w\p{L}\p{N}]{35,}\b')
  and not regex.icontains(sender.display_name, '_bot_[a-f0-9]{32}\)')
  and not regex.match(sender.display_name, '\b[\w\p{L}\p{N}]{35,}\b')
  and not (sender.email.email == "" or sender.email.domain.valid == false)
  // negate org domains unless they fail DMARC authentication
  and (
    (
      sender.email.domain.root_domain in $org_domains
      and not headers.auth_summary.dmarc.pass
    )
    or sender.email.domain.root_domain not in $org_domains
  )
  
  // negate highly trusted sender domains unless they fail DMARC authentication
  and (
    (
      sender.email.domain.root_domain in $high_trust_sender_root_domains
      and not headers.auth_summary.dmarc.pass
    )
    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
  )
  and not profile.by_sender_email().any_messages_benign
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Evasion"
detection_methods:
  - "Content analysis"
  - "Sender analysis"
id: "2a40b043-52dc-59ca-8519-3793e8817d07"