Impersonation using recipient domain (untrusted sender)

name: "Impersonation using recipient domain (untrusted sender)"
description: |
  The recipient's domain is used in the sender's display name
  in order to impersonate the organization. The impersonation has been 
  observed to use both the recipient's full email address, as well as 
  just the domain.
type: "rule"
severity: "medium"
source: |
  type.inbound
  
  // only 1 To: recipient
  and length(recipients.to) + length(recipients.bcc) + length(recipients.cc) == 1
  and any(recipients.to,
          // custom domains only
          sender.email.domain.domain not in $free_email_providers
  
          // recipient's domain is in the sender's display name
          and strings.icontains(sender.display_name, .email.domain.root_domain)
  )
  and not (
    (
      strings.contains(sender.display_name, "on behalf of")
      and sender.email.domain.root_domain == "microsoftonline.com"
    )
    or (
      strings.contains(sender.display_name, "via TransferXL")
      and sender.email.domain.root_domain == "transferxl.com"
    )
  )
  and all(recipients.to,
          .email.domain.root_domain != sender.email.domain.root_domain
  )
  and (
    profile.by_sender().prevalence in ("new", "outlier")
    or (
      profile.by_sender().any_messages_malicious_or_spam
      and not profile.by_sender().any_messages_benign
    )
  )
  
  // negate highly trusted sender domains unless they fail DMARC authentication
  and (
    (
      sender.email.domain.root_domain in $high_trust_sender_root_domains
      and not headers.auth_summary.dmarc.pass
    )
    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
  )
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Social engineering"
detection_methods:
  - "Header analysis"
  - "Sender analysis"
id: "63e5808a-ab9a-5112-bc41-545db8c0afd2"