EXPLORE
Sign In
← Back to Explore
splunk_escuTTP

Monitor Email For Brand Abuse

The following analytic identifies emails claiming to be sent from a domain similar to one you are monitoring for potential abuse. It leverages email header data, specifically the sender's address, and cross-references it with a lookup table of known domain permutations generated by the "ESCU - DNSTwist Domain Names" search. This activity is significant as it can indicate phishing attempts or brand impersonation, which are common tactics used in social engineering attacks. If confirmed malicious, this could lead to unauthorized access, data theft, or reputational damage.

Detection Query

| tstats `security_content_summariesonly` values(All_Email.recipient) as recipients, min(_time) as firstTime, max(_time) as lastTime FROM datamodel=Email
  BY All_Email.src_user, All_Email.message_id
| `drop_dm_object_name("All_Email")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| eval temp=split(src_user, "@")
| eval email_domain=mvindex(temp, 1)
| lookup update=true brandMonitoring_lookup domain as email_domain OUTPUT domain_abuse
| search domain_abuse=true
| table message_id, src_user, email_domain, recipients, firstTime, lastTime
| `monitor_email_for_brand_abuse_filter`

Author

David Dorsey, Splunk

Created

2026-03-10

Tags

Brand MonitoringSuspicious EmailsScattered Lapsus$ Hunters
Raw Content
name: Monitor Email For Brand Abuse
id: b2ea1f38-3a3e-4b8a-9cf1-82760d86a6b8
version: 10
date: '2026-03-10'
author: David Dorsey, Splunk
status: experimental
type: TTP
description: The following analytic identifies emails claiming to be sent from a domain similar to one you are monitoring for potential abuse. It leverages email header data, specifically the sender's address, and cross-references it with a lookup table of known domain permutations generated by the "ESCU - DNSTwist Domain Names" search. This activity is significant as it can indicate phishing attempts or brand impersonation, which are common tactics used in social engineering attacks. If confirmed malicious, this could lead to unauthorized access, data theft, or reputational damage.
data_source: []
search: |-
    | tstats `security_content_summariesonly` values(All_Email.recipient) as recipients, min(_time) as firstTime, max(_time) as lastTime FROM datamodel=Email
      BY All_Email.src_user, All_Email.message_id
    | `drop_dm_object_name("All_Email")`
    | `security_content_ctime(firstTime)`
    | `security_content_ctime(lastTime)`
    | eval temp=split(src_user, "@")
    | eval email_domain=mvindex(temp, 1)
    | lookup update=true brandMonitoring_lookup domain as email_domain OUTPUT domain_abuse
    | search domain_abuse=true
    | table message_id, src_user, email_domain, recipients, firstTime, lastTime
    | `monitor_email_for_brand_abuse_filter`
how_to_implement: You need to ingest email header data. Specifically the sender's address (src_user) must be populated.  You also need to have run the search "ESCU - DNSTwist Domain Names", which creates the permutations of the domain that will be checked for.
known_false_positives: No false positives have been identified at this time.
references: []
rba:
    message: Possible Brand Abuse from $email_domain$
    risk_objects:
        - field: src_user
          type: user
          score: 50
    threat_objects: []
tags:
    analytic_story:
        - Brand Monitoring
        - Suspicious Emails
        - Scattered Lapsus$ Hunters
    asset_type: Endpoint
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: network