New Rule: Sender name contains Active Directory distinguished name (#653

)

Co-authored-by: ID Generator <[email protected]>
Co-authored-by: Sam Scholten <[email protected]>

detection-rules/sender_ad_distinguished_name.yml

@@ -0,0 +1,15 @@
+name: "Sender name contains Active Directory distinguished name"
+description: |
+    Sender's display name contains an Active Directory distinguished name or a similar string. This has been observed as a malicious indicator in the wild.
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and regex.icontains(sender.display_name, '(EX|LABS|OU|CN|EXCHANGE)(=|/)')
+tags:
+  - "Suspicious sender"
+attack_types:
+  - "Credential Phishing"
+detection_methods:
+  - "Sender analysis"
+id: "4f3c4901-a4ad-509b-ab83-bf3f118a3940"