High Severity
Service Abuse: SurveyMonkey Survey From Newly Registered Domain
Description
This Attack Surface Reduction (ASR) rule matches on SurveyMonkey Surveys with recently registered reply-to domains.
References
No references.
Sublime Security
Created Apr 18th, 2025 • Last updated Apr 18th, 2025
Feed Source
Sublime Core Feed
Source
type.inbound
// Legitimate SurveyMonkey sending infratructure
and sender.email.email == "member@surveymonkeyuser.com"
and headers.auth_summary.spf.pass
and headers.auth_summary.dmarc.pass
and any(headers.reply_to, network.whois(.email.domain).days_old < 30)
//
// This rule makes use of a beta feature and is subject to change without notice
// using the beta feature in custom rules is not suggested until it has been formally released
//
// reply-to email address has never been sent an email by the org
and not beta.profile.by_reply_to().solicited
// do not match if the reply_to address has been observed as a reply_to address
// of a message that has been classified as benign
and not beta.profile.by_reply_to().any_messages_benign
Playground
Test against your own EMLs or sample data.