EXPLORE
Sign In
← Back to Explore
sublimemediumRule

Inbound message from popular service via newly observed distribution list

Detects when a message comes through a distribution list by matching on return paths containing Sender Rewrite Scheme (SRS) from a previously unknown domain sender to a single recipient who has never interacted with the organization. This method has been observed being abused by threat actors to deliver callback phishing.

MITRE ATT&CK

T1566.003T1598T1036T1027T1566
defense-evasioninitial-access

Detection Query

type.inbound
and length(recipients.to) == 1
and length(recipients.bcc) == 0
// abuse involves a popular service
and sender.email.domain.root_domain in $tranco_50k

// message is not from a free mail provider, we have only observed sevice providers abused
and sender.email.domain.root_domain not in $free_email_providers
and sender.email.domain.domain not in $free_email_providers
and not any(recipients.to, .email.email =~ sender.email.email)

// uses Sender Rewrite Scheme indicating the message traversed a distribtion list or other automatic relay
and (
  strings.icontains(headers.return_path.local_part, "+SRS=")
  // when the receipient is a group controlled by the final recipient
  // the return_path header can be overwritten
  // check the SPF designator for evidence of SRS 
  or strings.icontains(headers.auth_summary.spf.details.designator, "+SRS=")
  or any(headers.hops,
         strings.icontains(.authentication_results.spf_details.designator,
                           '+SRS='
         )
  )
)
// the sender and recipient is not in $org_domains
and sender.email.domain.domain not in $org_domains
// the recipient has never sent an email to the org
and all(recipients.to,
        .email.domain.domain not in $org_domains
        // ensure the recipient domain has never send/received an email to/from the org
        and (
          (
            // use the domain only if the sender domain is not within free_email_providers
            .email.domain.domain not in $free_email_providers
            and .email.domain.root_domain not in $free_email_providers
            and .email.domain.domain not in $sender_domains
            and .email.domain.root_domain not in $sender_domains
            and .email.domain.domain not in $recipient_domains
            and .email.domain.root_domain not in $recipient_domains
          )
          or (
            // use the email address the sender domain is within free_email_providers
            (
              .email.domain.domain in $free_email_providers
              or .email.domain.root_domain in $free_email_providers
            )
            and .email.email not in $sender_emails
            and .email.email not in $recipient_emails
          )
          or (
            .email.domain.root_domain in ("onmicrosoft.com")
            // negate onmicrosoft domains within org_domains
            and not .email.domain.domain in $org_domains
          )
        )
)
// if there are reply-to addresses, ensure they are also not assoicated with the org
and all(headers.reply_to,
        .email.domain.domain not in $org_domains
        and .display_name not in $org_display_names
)

// check the return path to ensure it's not related to our sender or the mailbox at all
and not strings.iends_with(headers.return_path.local_part,
                           strings.concat('@', sender.email.domain.domain)
)
and not strings.icontains(headers.return_path.local_part,
                          mailbox.email.local_part
)

// not an inbox rule or automatic forward from a Microsoft Account
and not any(headers.hops,
            any(.fields,
                .name in~ (
                  'X-MS-Exchange-ForwardingLoop',
                  'X-MS-Exchange-Inbox-Rules-Loop'
                )
            )
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Inbound message from popular service via newly observed distribution list"
description: "Detects when a message comes through a distribution list by matching on return paths containing Sender Rewrite Scheme (SRS) from a previously unknown domain sender to a single recipient who has never interacted with the organization. This method has been observed being abused by threat actors to deliver callback phishing."
type: "rule"
severity: "medium"
source: |
  type.inbound
  and length(recipients.to) == 1
  and length(recipients.bcc) == 0
  // abuse involves a popular service
  and sender.email.domain.root_domain in $tranco_50k
  
  // message is not from a free mail provider, we have only observed sevice providers abused
  and sender.email.domain.root_domain not in $free_email_providers
  and sender.email.domain.domain not in $free_email_providers
  and not any(recipients.to, .email.email =~ sender.email.email)
  
  // uses Sender Rewrite Scheme indicating the message traversed a distribtion list or other automatic relay
  and (
    strings.icontains(headers.return_path.local_part, "+SRS=")
    // when the receipient is a group controlled by the final recipient
    // the return_path header can be overwritten
    // check the SPF designator for evidence of SRS 
    or strings.icontains(headers.auth_summary.spf.details.designator, "+SRS=")
    or any(headers.hops,
           strings.icontains(.authentication_results.spf_details.designator,
                             '+SRS='
           )
    )
  )
  // the sender and recipient is not in $org_domains
  and sender.email.domain.domain not in $org_domains
  // the recipient has never sent an email to the org
  and all(recipients.to,
          .email.domain.domain not in $org_domains
          // ensure the recipient domain has never send/received an email to/from the org
          and (
            (
              // use the domain only if the sender domain is not within free_email_providers
              .email.domain.domain not in $free_email_providers
              and .email.domain.root_domain not in $free_email_providers
              and .email.domain.domain not in $sender_domains
              and .email.domain.root_domain not in $sender_domains
              and .email.domain.domain not in $recipient_domains
              and .email.domain.root_domain not in $recipient_domains
            )
            or (
              // use the email address the sender domain is within free_email_providers
              (
                .email.domain.domain in $free_email_providers
                or .email.domain.root_domain in $free_email_providers
              )
              and .email.email not in $sender_emails
              and .email.email not in $recipient_emails
            )
            or (
              .email.domain.root_domain in ("onmicrosoft.com")
              // negate onmicrosoft domains within org_domains
              and not .email.domain.domain in $org_domains
            )
          )
  )
  // if there are reply-to addresses, ensure they are also not assoicated with the org
  and all(headers.reply_to,
          .email.domain.domain not in $org_domains
          and .display_name not in $org_display_names
  )
  
  // check the return path to ensure it's not related to our sender or the mailbox at all
  and not strings.iends_with(headers.return_path.local_part,
                             strings.concat('@', sender.email.domain.domain)
  )
  and not strings.icontains(headers.return_path.local_part,
                            mailbox.email.local_part
  )
  
  // not an inbox rule or automatic forward from a Microsoft Account
  and not any(headers.hops,
              any(.fields,
                  .name in~ (
                    'X-MS-Exchange-ForwardingLoop',
                    'X-MS-Exchange-Inbox-Rules-Loop'
                  )
              )
  )
attack_types:
  - "Callback Phishing"
tactics_and_techniques:
  - "Evasion"
  - "Social engineering"
detection_methods:
  - "Header analysis"
  - "Sender analysis"
id: "8f4bc148-a6b3-5dc4-9d2b-893c38c86c48"