EXPLORE
Sign In
← Back to Explore
sublimehighRule

VIP local_part impersonation from unsolicited sender

This rule identifies potential impersonation attempts involving the local part of an $org_vip email address. Specifically, it checks for cases where the local part of an $org_vip email (e.g., local_part@domain.com) appears with a different domain (e.g., local_part@foreigndomain.com). Additionally, the rule flags messages that match an $org_vip address exactly but fail authentication.

MITRE ATT&CK

T1566.002T1534T1566T1598
initial-access

Detection Query

type.inbound
and any($org_vips,
        strings.contains(sender.email.local_part, ".")
        and strings.starts_with(.email, sender.email.local_part)
        and (
          sender.email.email != .email
          or (
            sender.email.email == .email and not headers.auth_summary.dmarc.pass
          )
        )
)
and (
  // ignore personal <> work emails
  // where the sender and mailbox's display name are the same
  length(recipients.to) > 0
  or length(recipients.cc) > 0
  or sender.display_name != mailbox.display_name
)
// bounce-back negations
and not strings.like(sender.email.local_part,
                     "*postmaster*",
                     "*mailer-daemon*",
                     "*administrator*"
)

// negate org domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $org_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $org_domains
)

// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
// sender profile
and (
  not profile.by_sender_email().solicited
  or not profile.by_sender_email().any_messages_benign
  or (
    profile.by_sender_email().any_messages_malicious_or_spam
    and not profile.by_sender_email().any_messages_benign
  )
  or (
    sender.email.domain.domain in $org_domains
    and not coalesce(headers.auth_summary.dmarc.pass, false)
  )
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email

Tags

Attack surface reduction
Raw Content
name: "VIP local_part impersonation from unsolicited sender"
description: "This rule identifies potential impersonation attempts involving the local part of an $org_vip email address. Specifically, it checks for cases where the local part of an $org_vip email (e.g., local_part@domain.com) appears with a different domain (e.g., local_part@foreigndomain.com). Additionally, the rule flags messages that match an $org_vip address exactly but fail authentication."
type: "rule"
severity: "high"
source: |
  type.inbound
  and any($org_vips,
          strings.contains(sender.email.local_part, ".")
          and strings.starts_with(.email, sender.email.local_part)
          and (
            sender.email.email != .email
            or (
              sender.email.email == .email and not headers.auth_summary.dmarc.pass
            )
          )
  )
  and (
    // ignore personal <> work emails
    // where the sender and mailbox's display name are the same
    length(recipients.to) > 0
    or length(recipients.cc) > 0
    or sender.display_name != mailbox.display_name
  )
  // bounce-back negations
  and not strings.like(sender.email.local_part,
                       "*postmaster*",
                       "*mailer-daemon*",
                       "*administrator*"
  )
  
  // negate org domains unless they fail DMARC authentication
  and (
    (
      sender.email.domain.root_domain in $org_domains
      and not headers.auth_summary.dmarc.pass
    )
    or sender.email.domain.root_domain not in $org_domains
  )
  
  // negate highly trusted sender domains unless they fail DMARC authentication
  and (
    (
      sender.email.domain.root_domain in $high_trust_sender_root_domains
      and not headers.auth_summary.dmarc.pass
    )
    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
  )
  // sender profile
  and (
    not profile.by_sender_email().solicited
    or not profile.by_sender_email().any_messages_benign
    or (
      profile.by_sender_email().any_messages_malicious_or_spam
      and not profile.by_sender_email().any_messages_benign
    )
    or (
      sender.email.domain.domain in $org_domains
      and not coalesce(headers.auth_summary.dmarc.pass, false)
    )
  )
tags:
  - "Attack surface reduction"
tactics_and_techniques:
  - "Impersonation: VIP"
  - "Spoofing"
detection_methods:
  - "Header analysis"
  - "Sender analysis"
id: "74035fdc-78c4-5a29-83d8-c1060ead4e28"