High Severity

VIP local_part impersonation from unsolicited sender

Description

This rule identifies potential impersonation attempts involving the local part of an $org_vip email address. Specifically, it checks for cases where the local part of an $org_vip email (e.g., local_part@domain.com) appears with a different domain (e.g., local_part@foreigndomain.com). Additionally, the rule flags messages that match an $org_vip address exactly but fail authentication.

References

No references.

Sublime Security
Created Nov 20th, 2024 • Last updated Nov 20th, 2024
Source
type.inbound
and any($org_vips,
        strings.contains(sender.email.local_part, ".")
        and strings.starts_with(.email, sender.email.local_part)
        and (
          sender.email.email != .email
          or (
            sender.email.email == .email and not headers.auth_summary.dmarc.pass
          )
        )
)

and (
  // ignore personal <> work emails
  // where the sender and mailbox's display name are the same
  length(recipients.to) > 0
  or length(recipients.cc) > 0
  or sender.display_name != mailbox.display_name
)
// bounce-back negations
and not strings.like(sender.email.local_part,
                     "*postmaster*",
                     "*mailer-daemon*",
                     "*administrator*"
)

// negate org domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $org_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $org_domains
)

// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and not profile.by_sender().solicited
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.