Detection rules › Splunk
Monitor Email For Brand Abuse
The following analytic identifies emails claiming to be sent from a domain similar to one you are monitoring for potential abuse. It leverages email header data, specifically the sender's address, and cross-references it with a lookup table of known domain permutations generated by the "ESCU - DNSTwist Domain Names" search. This activity is significant as it can indicate phishing attempts or brand impersonation, which are common tactics used in social engineering attacks. If confirmed malicious, this could lead to unauthorized access, data theft, or reputational damage.
Rule body splunk
name: Monitor Email For Brand Abuse
id: b2ea1f38-3a3e-4b8a-9cf1-82760d86a6b8
version: 11
creation_date: '2020-04-29'
modification_date: '2026-05-13'
author: David Dorsey, Splunk
status: experimental
type: TTP
description: The following analytic identifies emails claiming to be sent from a domain similar to one you are monitoring for potential abuse. It leverages email header data, specifically the sender's address, and cross-references it with a lookup table of known domain permutations generated by the "ESCU - DNSTwist Domain Names" search. This activity is significant as it can indicate phishing attempts or brand impersonation, which are common tactics used in social engineering attacks. If confirmed malicious, this could lead to unauthorized access, data theft, or reputational damage.
data_source: []
search: |-
| tstats `security_content_summariesonly` values(All_Email.recipient) as recipients, min(_time) as firstTime, max(_time) as lastTime FROM datamodel=Email
BY All_Email.src_user, All_Email.message_id
| `drop_dm_object_name("All_Email")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| eval temp=split(src_user, "@")
| eval email_domain=mvindex(temp, 1)
| lookup update=true brandMonitoring_lookup domain as email_domain OUTPUT domain_abuse
| search domain_abuse=true
| table message_id, src_user, email_domain, recipients, firstTime, lastTime
| `monitor_email_for_brand_abuse_filter`
how_to_implement: You need to ingest email header data. Specifically the sender's address (src_user) must be populated. You also need to have run the search "ESCU - DNSTwist Domain Names", which creates the permutations of the domain that will be checked for.
known_false_positives: No false positives have been identified at this time.
references: []
finding:
title: Possible Brand Abuse from $email_domain$
entity:
field: src_user
type: user
score: 50
analytic_story:
- Brand Monitoring
- Suspicious Emails
- Scattered Lapsus$ Hunters
asset_type: Endpoint
mitre_attack_id: []
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
category: application
security_domain: network
baselines:
- DNSTwist Domain Names
Stages and Predicates
Stage 1: tstats
| tstats `security_content_summariesonly` values(All_Email.recipient) as recipients, min(_time) as firstTime, max(_time) as lastTime FROM datamodel=Email
BY All_Email.src_user, All_Email.message_id
Stage 2: search
| `drop_dm_object_name("All_Email")`
Stage 3: search
| `security_content_ctime(firstTime)`
Stage 4: search
| `security_content_ctime(lastTime)`
Stage 5: eval
| eval temp=split(src_user, "@")
Stage 6: eval
| eval email_domain=mvindex(temp, 1)
Stage 7: lookup
| lookup update=true brandMonitoring_lookup domain as email_domain OUTPUT domain_abuse
Stage 8: search
| search domain_abuse=true
Stage 9: table
| table message_id, src_user, email_domain, recipients, firstTime, lastTime
Stage 10: search
| `monitor_email_for_brand_abuse_filter`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
domain_abuse | eq |
|