EXPLORE
Sign In
← Back to Explore
sublimemediumRule

Spam: Single recipient duplicated in cc

Detects spam emails where the 'To' and 'CC' fields match, using indicators such as short body length with spam keywords, unsolicited content, dmarc failures, fake threads, and suspicious links.

MITRE ATT&CK

T1566T1566.002T1598.003T1598
initial-access

Detection Query

type.inbound

// one recipient and 1 cc
and length(recipients.to) == 1
and length(recipients.cc) == 1

// unsolicited
and not profile.by_sender().solicited

// recipients email matches the cc email
and any(recipients.to, any(recipients.cc, .email.email == ..email.email))

// body is short with spam keywords
and (
  (
    length(body.current_thread.text) < 150
    and strings.ilike(body.current_thread.text,
                      "*congrat*",
                      "*win*",
                      "*expired*",
                      "*subscription*",
                      "*won*",
                      "*gift*",
                      "*CARTE CADEAU*",
                      "*Votre chance*",
                      "*survey*",
                      "*livraison*",
                      "*delivery*",
                      "*package*"
    )
  )

  // body is super short
  or length(body.current_thread.text) < 10

  // body has no spaces
  or regex.imatch(body.current_thread.text, '[^ ]+')

  // subject is null
  or subject.subject == ""

  // dmarc failure
  or not headers.auth_summary.dmarc.pass

  // or display text contains suspicious terms
  or any(body.links,
         regex.icontains(.display_text,
                         'Congrat|Survey|package|delivery|\bclaim\b'
         )
         and not .href_url.domain.root_domain == "surveymonkey.com"
  )

  // compauth failure
  or any(headers.hops,
         .authentication_results.compauth.verdict not in (
           "pass",
           "softpass",
           "none"
         )
  )

  // all links display text is null or aka.ms
  or (
    length(filter(body.links,
                  (
                    (
                      .display_text is null
                      and .href_url.domain.root_domain != sender.email.domain.root_domain
                    )
                    or .href_url.domain.root_domain in (
                      "aka.ms",
                      "mimecast.com",
                      "mimecastprotect.com",
                      "cisco.com"
                    )
                  )
           )
    ) == length(body.links)
  )
  or (
    // fake thread check
    regex.imatch(subject.subject, '(\[[^\]]+\]\s?){0,3}(re|fwd?)\s?:.*')
    and (
      (length(headers.references) == 0 and headers.in_reply_to is null)
      or not any(headers.hops,
                 any(.fields, strings.ilike(.name, "In-Reply-To"))
      )
    )
  )
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Spam: Single recipient duplicated in cc"
description: "Detects spam emails where the 'To' and 'CC' fields match, using indicators such as short body length with spam keywords, unsolicited content, dmarc failures, fake threads, and suspicious links."
type: "rule"
severity: "medium"
source: |
  type.inbound
  
  // one recipient and 1 cc
  and length(recipients.to) == 1
  and length(recipients.cc) == 1
  
  // unsolicited
  and not profile.by_sender().solicited
  
  // recipients email matches the cc email
  and any(recipients.to, any(recipients.cc, .email.email == ..email.email))
  
  // body is short with spam keywords
  and (
    (
      length(body.current_thread.text) < 150
      and strings.ilike(body.current_thread.text,
                        "*congrat*",
                        "*win*",
                        "*expired*",
                        "*subscription*",
                        "*won*",
                        "*gift*",
                        "*CARTE CADEAU*",
                        "*Votre chance*",
                        "*survey*",
                        "*livraison*",
                        "*delivery*",
                        "*package*"
      )
    )
  
    // body is super short
    or length(body.current_thread.text) < 10
  
    // body has no spaces
    or regex.imatch(body.current_thread.text, '[^ ]+')
  
    // subject is null
    or subject.subject == ""
  
    // dmarc failure
    or not headers.auth_summary.dmarc.pass
  
    // or display text contains suspicious terms
    or any(body.links,
           regex.icontains(.display_text,
                           'Congrat|Survey|package|delivery|\bclaim\b'
           )
           and not .href_url.domain.root_domain == "surveymonkey.com"
    )
  
    // compauth failure
    or any(headers.hops,
           .authentication_results.compauth.verdict not in (
             "pass",
             "softpass",
             "none"
           )
    )
  
    // all links display text is null or aka.ms
    or (
      length(filter(body.links,
                    (
                      (
                        .display_text is null
                        and .href_url.domain.root_domain != sender.email.domain.root_domain
                      )
                      or .href_url.domain.root_domain in (
                        "aka.ms",
                        "mimecast.com",
                        "mimecastprotect.com",
                        "cisco.com"
                      )
                    )
             )
      ) == length(body.links)
    )
    or (
      // fake thread check
      regex.imatch(subject.subject, '(\[[^\]]+\]\s?){0,3}(re|fwd?)\s?:.*')
      and (
        (length(headers.references) == 0 and headers.in_reply_to is null)
        or not any(headers.hops,
                   any(.fields, strings.ilike(.name, "In-Reply-To"))
        )
      )
    )
  )
attack_types:
  - "Spam"
tactics_and_techniques:
  - "Impersonation: Brand"
  - "Social engineering"
detection_methods:
  - "Header analysis"
  - "Content analysis"
  - "URL analysis"
  - "Sender analysis"
id: "387cacc9-c696-5a23-aa9d-5d0aa45082ff"