EXPLORE
Sign In
← Back to Explore
sublimelowRule

Unusually long local part from untrusted sender address

Detects messages with unusually long local address parts (before the @) from senders outside trusted domains and without verified authentication.

MITRE ATT&CK

T1566T1566.001T1566.002T1598T1036T1027
defense-evasion

Detection Query

// max length of the local_part for exchange is 315
// https://learn.microsoft.com/en-us/exchange/mail-flow/mail-routing/recipient-resolution?view=exchserver-2019&viewFallbackFrom=exchonline-ww
100 < length(sender.email.local_part)
// not org_domains
and not (
  sender.email.domain.root_domain in $org_domains
  and headers.auth_summary.dmarc.pass
)
// negate highly trusted sender domains unless they fail DMARC authentication
and not (
  sender.email.domain.root_domain in $high_trust_sender_root_domains
  and headers.auth_summary.dmarc.pass
)
// remove common senders, unless marked malicious
and not (
  profile.by_sender_email().prevalence == "common"
  and profile.by_sender_email().any_messages_malicious_or_spam == false
)
// a common observed benign cases of this due to Internet Mail Connector Encapsulated Address (IMCEA)
and not strings.istarts_with(sender.email.local_part, 'imcea')
// no previous false positives on this specific sender
and not profile.by_sender_email().any_messages_benign

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email

Tags

Attack surface reduction
Raw Content
name: "Unusually long local part from untrusted sender address"
description: "Detects messages with unusually long local address parts (before the @) from senders outside trusted domains and without verified authentication."
type: "rule"
severity: "low"
source: |
  // max length of the local_part for exchange is 315
  // https://learn.microsoft.com/en-us/exchange/mail-flow/mail-routing/recipient-resolution?view=exchserver-2019&viewFallbackFrom=exchonline-ww
  100 < length(sender.email.local_part)
  // not org_domains
  and not (
    sender.email.domain.root_domain in $org_domains
    and headers.auth_summary.dmarc.pass
  )
  // negate highly trusted sender domains unless they fail DMARC authentication
  and not (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and headers.auth_summary.dmarc.pass
  )
  // remove common senders, unless marked malicious
  and not (
    profile.by_sender_email().prevalence == "common"
    and profile.by_sender_email().any_messages_malicious_or_spam == false
  )
  // a common observed benign cases of this due to Internet Mail Connector Encapsulated Address (IMCEA)
  and not strings.istarts_with(sender.email.local_part, 'imcea')
  // no previous false positives on this specific sender
  and not profile.by_sender_email().any_messages_benign
tags:
 - "Attack surface reduction"
attack_types:
  - "Credential Phishing"
  - "Spam"
tactics_and_techniques:
  - "Evasion"
detection_methods:
  - "Header analysis"
  - "Sender analysis"
id: "91a9cd45-41a9-51b9-9207-ded98d398d70"