EXPLORE
Sign In
← Back to Explore
sublimemediumRule

Headers: System account impersonation with empty sender address

Detects messages with an empty sender email address and a display name impersonating system accounts like mailer-daemon, postmaster, or administrator, but lacking legitimate bounce back content as determined by natural language processing.

MITRE ATT&CK

T1566.002T1534T1656T1566T1566.001T1598
initial-access

Detection Query

type.inbound
and sender.email.email == ""
and (
  strings.icontains(sender.display_name, "mailer-daemon")
  or strings.icontains(sender.display_name, "postmaster")
)
and not (
  (
    any(ml.nlu_classifier(body.current_thread.text).topics,
        .name == "Bounce Back and Delivery Failure Notifications"
        and .confidence == "high"
    )
    or regex.icontains(subject.subject, 'Undeliver(?:ed|able)')
    or regex.icontains(subject.subject,
                       'Mensagem não entregue'
    ) // portuguese bounce back variant 
    or regex.icontains(subject.subject,
                       '系统退信'
    ) // chinese bounce back variant 
  )
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Headers: System account impersonation with empty sender address"
description: "Detects messages with an empty sender email address and a display name impersonating system accounts like mailer-daemon, postmaster, or administrator, but lacking legitimate bounce back content as determined by natural language processing."
type: "rule"
severity: "medium"
source: |
  type.inbound
  and sender.email.email == ""
  and (
    strings.icontains(sender.display_name, "mailer-daemon")
    or strings.icontains(sender.display_name, "postmaster")
  )
  and not (
    (
      any(ml.nlu_classifier(body.current_thread.text).topics,
          .name == "Bounce Back and Delivery Failure Notifications"
          and .confidence == "high"
      )
      or regex.icontains(subject.subject, 'Undeliver(?:ed|able)')
      or regex.icontains(subject.subject,
                         'Mensagem não entregue'
      ) // portuguese bounce back variant 
      or regex.icontains(subject.subject,
                         '系统退信'
      ) // chinese bounce back variant 
    )
  )
attack_types:
  - "BEC/Fraud"
  - "Credential Phishing"
tactics_and_techniques:
  - "Impersonation: Employee"
  - "Social engineering"
  - "Spoofing"
detection_methods:
  - "Header analysis"
  - "Sender analysis"
  - "Natural Language Understanding"
id: "887f7953-9dbc-5582-a4b6-b5b79cce6744"