EXPLORE
Sign In
← Back to Explore
sublimemediumRule

Spoofable internal domain with suspicious signals

The sender is a known org domain and doesn't use a known org display name. SPF and DMARC verdicts are "none", which means the domain is spoofable. We then look for a combination of other suspicious signals such as a suspicious link or suspicious language. False Positives may occur with automated sending systems that send rich text emails, in which case we can add additional signals or exclude those.

MITRE ATT&CK

T1566T1566.001T1566.002T1598
initial-access

Detection Query

type.inbound
and sender.email.domain.domain in $org_domains

// doesn't match an org display name (generic)
// we could make this more generic later
and sender.display_name not in $org_display_names
and any(headers.hops,

        // find the hop Authentication-results for the org domain
        .authentication_results.dmarc_details.from.domain in $org_domains

        // internal domain is spoofable
        and .authentication_results.dmarc == "none"
        and .authentication_results.spf == "none"
        and .authentication_results.compauth.verdict not in ("pass", "softpass")
)
and 3 of (
  (
    // low reputation / suspicious link
    any(body.links,
        .href_url.domain.root_domain not in $org_domains
        and (
          .href_url.domain.root_domain not in $tranco_1m
          or .href_url.domain.domain in $free_file_hosts
          or .href_url.domain.root_domain in $free_file_hosts
          or .href_url.domain.root_domain in $free_subdomain_hosts
          or .href_url.domain.domain in $url_shorteners
          or .href_url.domain.domain in $social_landing_hosts
        )
    )
  ),
  (
    // sender domain matches no body domains
    length(body.links) > 0
    and all(body.links,
            .href_url.domain.root_domain != sender.email.domain.root_domain
    )
  ),
  (
    // suspicious domain in headers
    any(headers.domains,
        // it's not an org domain
        .root_domain not in $org_domains

        // low reputation
        and .root_domain not in $alexa_1m

        // no one has sent an email to it before
        and .root_domain not in $recipient_domains
    )
  ),
  (
    // suspicious language
    any(ml.nlu_classifier(body.current_thread.text).intents,
        .name != "benign" and .confidence == "high"
    )
  ),
  (
    // suspicious language
    any(ml.nlu_classifier(body.current_thread.text).intents,
        .name != "benign" and .confidence == "high"
    )
  ),
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email

Tags

Attack surface reduction
Raw Content
name: "Spoofable internal domain with suspicious signals"
description: |
  The sender is a known org domain and doesn't use a known org display name.
  SPF and DMARC verdicts are "none", which means the domain is spoofable.
  We then look for a combination of other suspicious signals such as a suspicious
  link or suspicious language.

  False Positives may occur with automated sending systems that send rich text emails,
  in which case we can add additional signals or exclude those.
type: "rule"
severity: "medium"
source: |
  type.inbound
  and sender.email.domain.domain in $org_domains
  
  // doesn't match an org display name (generic)
  // we could make this more generic later
  and sender.display_name not in $org_display_names
  and any(headers.hops,
  
          // find the hop Authentication-results for the org domain
          .authentication_results.dmarc_details.from.domain in $org_domains
  
          // internal domain is spoofable
          and .authentication_results.dmarc == "none"
          and .authentication_results.spf == "none"
          and .authentication_results.compauth.verdict not in ("pass", "softpass")
  )
  and 3 of (
    (
      // low reputation / suspicious link
      any(body.links,
          .href_url.domain.root_domain not in $org_domains
          and (
            .href_url.domain.root_domain not in $tranco_1m
            or .href_url.domain.domain in $free_file_hosts
            or .href_url.domain.root_domain in $free_file_hosts
            or .href_url.domain.root_domain in $free_subdomain_hosts
            or .href_url.domain.domain in $url_shorteners
            or .href_url.domain.domain in $social_landing_hosts
          )
      )
    ),
    (
      // sender domain matches no body domains
      length(body.links) > 0
      and all(body.links,
              .href_url.domain.root_domain != sender.email.domain.root_domain
      )
    ),
    (
      // suspicious domain in headers
      any(headers.domains,
          // it's not an org domain
          .root_domain not in $org_domains
  
          // low reputation
          and .root_domain not in $alexa_1m
  
          // no one has sent an email to it before
          and .root_domain not in $recipient_domains
      )
    ),
    (
      // suspicious language
      any(ml.nlu_classifier(body.current_thread.text).intents,
          .name != "benign" and .confidence == "high"
      )
    ),
    (
      // suspicious language
      any(ml.nlu_classifier(body.current_thread.text).intents,
          .name != "benign" and .confidence == "high"
      )
    ),
  )

tags:
  - "Attack surface reduction"
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Free file host"
  - "Free subdomain host"
  - "Social engineering"
  - "Spoofing"
detection_methods:
  - "Content analysis"
  - "Header analysis"
  - "Natural Language Understanding"
  - "Sender analysis"
id: "40089d69-9150-5270-97f1-9f68e4ca9a5a"