• Sublime Core Feed
Medium Severity

Spoofable internal domain with suspicious signals

Labels

Credential Phishing
Free file host
Free subdomain host
Social engineering
Spoofing
Content analysis
Header analysis
Natural Language Understanding
Sender analysis

Description

The sender is a known org domain and doesn't use a known org display name. SPF and DMARC verdicts are "none", which means the domain is spoofable. We then look for a combination of other suspicious signals such as a suspicious link or suspicious language.

False Positives may occur with automated sending systems that send rich text emails, in which case we can add additional signals or exclude those.

References

No references.

Sublime Security
Created Aug 17th, 2023 • Last updated May 3rd, 2024
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and sender.email.domain.domain in $org_domains

// doesn't match an org display name (generic)
// we could make this more generic later
and sender.display_name not in $org_display_names
and any(headers.hops,

        // find the hop Authentication-results for the org domain
        .authentication_results.dmarc_details.from.domain in $org_domains

        // internal domain is spoofable
        and .authentication_results.dmarc == "none"
        and .authentication_results.spf == "none"
        and .authentication_results.compauth.verdict not in ("pass", "softpass")
)
and 3 of (
  (
    // low reputation / suspicious link
    any(body.links,
        .href_url.domain.root_domain not in $org_domains
        and (
          .href_url.domain.root_domain not in $tranco_1m
          or .href_url.domain.domain in $free_file_hosts
          or .href_url.domain.root_domain in $free_file_hosts
          or .href_url.domain.root_domain in $free_subdomain_hosts
          or .href_url.domain.domain in $url_shorteners
        )
    )
  ),
  (
    // sender domain matches no body domains
    length(body.links) > 0
    and all(body.links,
            .href_url.domain.root_domain != sender.email.domain.root_domain
    )
  ),
  (
    // suspicious domain in headers
    any(headers.domains,
        // it's not an org domain
        .root_domain not in $org_domains

        // low reputation
        and .root_domain not in $alexa_1m

        // no one has sent an email to it before
        and .root_domain not in $recipient_domains
    )
  ),
  (
    // suspicious language
    any(ml.nlu_classifier(body.current_thread.text).intents,
        .name != "benign" and .confidence == "high"
    )
  ),
  (
    // suspicious language
    any(ml.nlu_classifier(body.current_thread.text).intents,
        .name != "benign" and .confidence == "high"
    )
  ),
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started