Medium Severity

Inbound message from popular service via newly observed distribution list

Labels

Description

Detects when a message comes through a distribution list by matching on return paths containing Sender Rewrite Scheme (SRS) from a previously unknown domain sender to a single recipient who has never interacted with the organization. This method has been observed being abused by threat actors to deliver callback phishing.

References

No references.

Sublime Security

Created Feb 3rd, 2025 • Last updated Aug 5th, 2025

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and length(recipients.to) == 1
and length(recipients.bcc) == 0
// abuse involves a popular service
and sender.email.domain.root_domain in $tranco_50k

// message is not from a free mail provider, we have only observed sevice providers abused
and sender.email.domain.root_domain not in $free_email_providers
and sender.email.domain.domain not in $free_email_providers
and not any(recipients.to, .email.email =~ sender.email.email)

// uses Sender Rewrite Scheme indicating the message traversed a distribtion list or other automatic relay
and (
  strings.icontains(headers.return_path.local_part, "+SRS=")
  // when the receipient is a group controlled by the final recipient
  // the return_path header can be overwritten
  // check the SPF designator for evidence of SRS 
  or strings.icontains(headers.auth_summary.spf.details.designator, "+SRS=")
  or any(headers.hops,
         strings.icontains(.authentication_results.spf_details.designator,
                           '+SRS='
         )
  )
)
// the sender and recipient is not in $org_domains
and sender.email.domain.domain not in $org_domains
// the recipient has never sent an email to the org
and all(recipients.to,
        .email.domain.domain not in $org_domains
        // ensure the recipient domain has never send/received an email to/from the org
        and (
          (
            // use the domain only if the sender domain is not within free_email_providers
            .email.domain.domain not in $free_email_providers
            and .email.domain.root_domain not in $free_email_providers
            and .email.domain.domain not in $sender_domains
            and .email.domain.root_domain not in $sender_domains
            and .email.domain.domain not in $recipient_domains
            and .email.domain.root_domain not in $recipient_domains
          )
          or (
            // use the email address the sender domain is within free_email_providers
            (
              .email.domain.domain in $free_email_providers
              or .email.domain.root_domain in $free_email_providers
            )
            and .email.email not in $sender_emails
            and .email.email not in $recipient_emails
          )
          or (
            .email.domain.root_domain in ("onmicrosoft.com")
            // negate onmicrosoft domains within org_domains
            and not .email.domain.domain in $org_domains
          )
        )
)
// if there are reply-to addresses, ensure they are also not assoicated with the org
and all(headers.reply_to,
        .email.domain.domain not in $org_domains
        and .display_name not in $org_display_names
)

// check the return path to ensure it's not related to our sender or the mailbox at all
and not strings.iends_with(headers.return_path.local_part,
                           strings.concat('@', sender.email.domain.domain)
)
and not strings.icontains(headers.return_path.local_part,
                          mailbox.email.local_part
)

// not an inbox rule or automatic forward from a Microsoft Account
and not any(headers.hops,
            any(.fields,
                .name in~ (
                  'X-MS-Exchange-ForwardingLoop',
                  'X-MS-Exchange-Inbox-Rules-Loop'
                )
            )
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.