← Back to Explore
sublimemediumRule
Sender name contains Active Directory distinguished name
Sender's display name contains an Active Directory distinguished name or a similar string. This has been observed as a malicious indicator in the wild.
Detection Query
type.inbound
and (
regex.icontains(sender.display_name, '\b(EX|LABS|OU|CN|EXCHANGE)(=|/)')
or strings.icontains(sender.display_name, "/O=EXCHANGELABS")
)
and sender.email.domain.root_domain not in $org_domains
and not (
sender.email.domain.root_domain in ('fnfcorp.com')
and headers.auth_summary.dmarc.pass
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Tags
Suspicious sender
Raw Content
name: "Sender name contains Active Directory distinguished name"
description: |
Sender's display name contains an Active Directory distinguished name or a similar string. This has been observed as a malicious indicator in the wild.
type: "rule"
severity: "medium"
source: |
type.inbound
and (
regex.icontains(sender.display_name, '\b(EX|LABS|OU|CN|EXCHANGE)(=|/)')
or strings.icontains(sender.display_name, "/O=EXCHANGELABS")
)
and sender.email.domain.root_domain not in $org_domains
and not (
sender.email.domain.root_domain in ('fnfcorp.com')
and headers.auth_summary.dmarc.pass
)
tags:
- "Suspicious sender"
attack_types:
- "Credential Phishing"
detection_methods:
- "Sender analysis"
id: "4f3c4901-a4ad-509b-ab83-bf3f118a3940"