heroui logo

Display name and subject impersonation using recipient SLD (new sender)

Sublime Rules

View Source
Summary
This rule detects impersonation attempts where an attacker uses a recipient's second-level domain (SLD) within the email display name and subject line. The rule is designed to identify suspicious emails targeting specific individuals by leveraging the domain associated with the organization. It includes checks for the number of recipients to differentiate between standard messages and potential impersonation attempts. The rule also verifies that links present in the email are not from the sender's domain and requires at least one link or a non-image attachment to flag the message. To mitigate false positives, the rule includes exclusions for trusted domains and scenarios that typically indicate legitimate communication, such as messages handled on behalf of others from known endpoints like Microsoft Online. Overall, it aims to thwart credential phishing tactics that rely on social engineering techniques and scrutiny of email headers and sender identity.
Categories
  • Identity Management
  • Endpoint
  • Cloud
  • Web
Data Sources
  • User Account
  • Process
  • Network Traffic
Created: 2023-11-21