Sync from PR#2428

update headers_DL_unsolicited.yml by @zoomequipd #2428 Source SHA eff4124 Triggered by @zoomequipd
sublime-security · Feb 24, 2025 · 10d378d · 10d378d
1 parent 9f12403
commit 10d378d
Showing 1 changed file with 16 additions and 0 deletions.
diff --git a/detection-rules/headers_DL_unsolicited.yml b/detection-rules/headers_DL_unsolicited.yml
@@ -0,0 +1,16 @@
+name: "Inbound Message from Popular Service Via Newly Observed Distribution List"
+description: "Detects when a message comes through a distribution list by matching on return paths containing Sender Rewrite Scheme (SRS) from a previously unknown domain sender to a single recipient who has never interacted with the organization. This method has been observed being abused by threat actors to deliver callback phishing."
+type: "rule"
+severity: "medium"
+source: "type.inbound\nand length(recipients.to) == 1\nand length(recipients.cc) == 0\nand length(recipients.bcc) == 0\n// abuse involves a popular service\nand sender.email.domain.root_domain in $majestic_million\n\n// message is not from a free mail provider, we have only observed sevice providers abused\nand sender.email.domain.root_domain not in $free_email_providers\nand sender.email.domain.domain not in $free_email_providers\nand not any(recipients.to, .email.email =~ sender.email.email)\n\n// uses Sender Rewrite Scheme indicating the message traversed a distribtion list or other automatic relay\nand (\n  strings.icontains(headers.return_path.local_part, \"+SRS=\")\n  // when the receipient is a group controlled by the final recipient\n  // the return_path header can be overwritten\n  // check the SPF designator for evidence of SRS \n  or strings.icontains(headers.auth_summary.spf.details.designator, \"+SRS=\")\n  or any(headers.hops,\n         strings.icontains(.authentication_results.spf_details.designator,\n                           '+SRS='\n         )\n  )\n  // use the SPF recevied \"mailbox\" to find suspicious forwarding paths\n  or length(distinct(filter(map(filter(headers.hops,\n                                       .received.mailbox.raw is not null\n                                ),\n                                .received.mailbox.raw\n                            ),\n                            not strings.icontains(., mailbox.email.email)\n                            and not strings.iends_with(.,\n                                                       strings.concat(mailbox.email.domain.root_domain,\n                                                                      '>'\n                                                       )\n                            )\n                     ),\n                     // distict the\n                     .\n            )\n  ) >= 1\n)\n// the sender and recipient is not in $org_domains\nand sender.email.domain.domain not in $org_domains\n// the recipient has never sent an email to the org\nand all(recipients.to,\n        .email.domain.domain not in $org_domains\n        // ensure the recipient domain has never send/received an email to/from the org\n        and (\n          (\n            // use the domain only if the sender domain is not within free_email_providers\n            .email.domain.domain not in $free_email_providers\n            and .email.domain.root_domain not in $free_email_providers\n            and .email.domain.domain not in $sender_domains\n            and .email.domain.root_domain not in $sender_domains\n            and .email.domain.domain not in $recipient_domains\n            and .email.domain.root_domain not in $recipient_domains\n          )\n          or (\n            // use the email address the sender domain is within free_email_providers\n            (\n              .email.domain.domain in $free_email_providers\n              or .email.domain.root_domain in $free_email_providers\n            )\n            and .email.email not in $sender_emails\n            and .email.email not in $recipient_emails\n          )\n          or (\n            .email.domain.root_domain in (\"onmicrosoft.com\")\n            // negate onmicrosoft domains within org_domains\n            and not .email.domain.domain in $org_domains\n          )\n        )\n)\n// if there are reply-to addresses, ensure they are also not assoicated with the org\nand all(headers.reply_to,\n        .email.domain.domain not in $org_domains\n        and .display_name not in $org_display_names\n)\n\n// check the return path to ensure it's not related to our sender or the mailbox at all\nand not strings.iends_with(headers.return_path.local_part,\n                           strings.concat('@', sender.email.domain.domain)\n)\nand not strings.icontains(headers.return_path.local_part,\n                          mailbox.email.local_part\n)\n\n// not an inbox rule or automatic forward from a Microsoft Account\nand not any(headers.hops,\n            any(.fields,\n                .name in (\n                  'X-MS-Exchange-ForwardingLoop',\n                  'X-MS-Exchange-Inbox-Rules-Loop'\n                )\n            )\n)\n"
+attack_types:
+  - "Callback Phishing"
+tactics_and_techniques:
+  - "Evasion"
+  - "Social engineering"
+detection_methods:
+  - "Header analysis"
+  - "Sender analysis"
+id: "8f4bc148-a6b3-5dc4-9d2b-893c38c86c48"
+testing_pr: 2428
+testing_sha: eff4124d156152496d165e3b0f1f5aa71ca307c5