Detection rules › Sublime MQL
Impersonation using recipient domain (untrusted sender)
The recipient's domain is used in the sender's display name in order to impersonate the organization. The impersonation has been observed to use both the recipient's full email address, as well as just the domain.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Credential Phishing |
| Tactics and techniques | Social engineering |
Event coverage
Rule body MQL
type.inbound
// only 1 To: recipient
and length(recipients.to) + length(recipients.bcc) + length(recipients.cc) == 1
and any(recipients.to,
// custom domains only
sender.email.domain.domain not in $free_email_providers
// recipient's domain is in the sender's display name
and strings.icontains(sender.display_name, .email.domain.root_domain)
)
and not (
(
strings.contains(sender.display_name, "on behalf of")
and sender.email.domain.root_domain == "microsoftonline.com"
)
or (
strings.contains(sender.display_name, "via TransferXL")
and sender.email.domain.root_domain == "transferxl.com"
)
)
and all(recipients.to,
.email.domain.root_domain != sender.email.domain.root_domain
)
and (
profile.by_sender().prevalence in ("new", "outlier")
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
Detection logic
Scope: inbound message.
The recipient's domain is used in the sender's display name in order to impersonate the organization. The impersonation has been observed to use both the recipient's full email address, as well as just the domain.
- inbound message
- length(recipients.to) + length(recipients.bcc) + length(recipients.cc) is 1
any of
recipients.towhere all hold:- sender.email.domain.domain not in $free_email_providers
- strings.icontains(sender.display_name)
none of:
all of:
- sender.display_name contains 'on behalf of'
- sender.email.domain.root_domain is 'microsoftonline.com'
all of:
- sender.display_name contains 'via TransferXL'
- sender.email.domain.root_domain is 'transferxl.com'
all of
recipients.towhere:- .email.domain.root_domain is not sender.email.domain.root_domain
any of:
- profile.by_sender().prevalence in ('new', 'outlier')
all of:
- profile.by_sender().any_messages_malicious_or_spam
not:
- profile.by_sender().any_messages_benign
any of:
all of:
- sender.email.domain.root_domain in $high_trust_sender_root_domains
not:
- headers.auth_summary.dmarc.pass
- sender.email.domain.root_domain not in $high_trust_sender_root_domains
Inspects: headers.auth_summary.dmarc.pass, recipients.to, recipients.to[].email.domain.root_domain, sender.display_name, sender.email.domain.domain, sender.email.domain.root_domain, type.inbound. Sensors: profile.by_sender, strings.contains, strings.icontains. Reference lists: $free_email_providers, $high_trust_sender_root_domains.
Indicators matched (4)
| Field | Match | Value |
|---|---|---|
strings.contains | substring | on behalf of |
sender.email.domain.root_domain | equals | microsoftonline.com |
strings.contains | substring | via TransferXL |
sender.email.domain.root_domain | equals | transferxl.com |