Low Severity

Unusually long local part from untrusted sender address

Labels

Description

Detects messages with unusually long local address parts (before the @) from senders outside trusted domains and without verified authentication.

References

No references.

Sublime Security

Created Feb 24th, 2025 • Last updated Aug 5th, 2025

Feed Source

Sublime Core Feed

Source

GitHub

// max length of the local_part for exchange is 315
// https://learn.microsoft.com/en-us/exchange/mail-flow/mail-routing/recipient-resolution?view=exchserver-2019&viewFallbackFrom=exchonline-ww
100 < length(sender.email.local_part)
// not org_domains
and not (
  sender.email.domain.root_domain in $org_domains
  and headers.auth_summary.dmarc.pass
)
// negate highly trusted sender domains unless they fail DMARC authentication
and not (
  sender.email.domain.root_domain in $high_trust_sender_root_domains
  and headers.auth_summary.dmarc.pass
)
// remove common senders, unless marked malicious
and not (
  profile.by_sender_email().prevalence == "common"
  and profile.by_sender_email().any_messages_malicious_or_spam == false
)
// a common observed benign cases of this due to Internet Mail Connector Encapsulated Address (IMCEA)
and not strings.istarts_with(sender.email.local_part, 'imcea')
// no previous false positives on this specific sender
and not profile.by_sender_email().any_messages_benign

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.