diff --git a/detection-rules/headers_DL_unsolicited.yml b/detection-rules/headers_DL_unsolicited.yml new file mode 100644 index 00000000000..122ecfcf106 --- /dev/null +++ b/detection-rules/headers_DL_unsolicited.yml @@ -0,0 +1,62 @@ +name: "Inbound Message Via Newly Observed Distribution List" +description: "Detects when a message comes through a distribution list by matching on return paths containing Sender Rewrite Scheme (SRS) from a previously unknown domain sender to a single recipient who has never interacted with the organization. This method has been observed being abused by threat actors to deliver callback phishing." +type: "rule" +severity: "medium" +source: | + type.inbound + and length(recipients.to) == 1 + and length(recipients.cc) == 0 + and length(recipients.bcc) == 0 + // message is not from a free mail provider, we have only observed sevice providers abused + and sender.email.domain.root_domain not in $free_email_providers + and sender.email.domain.domain not in $free_email_providers + and not any(recipients.to, .email.email =~ sender.email.email) + // uses Sender Rewrite Scheme indicating the message traversed a distribtion list or other automatic relay + and strings.icontains(headers.return_path.local_part, "+SRS=") + + // the sender and recipient is not in $org_domains + and sender.email.domain.domain not in $org_domains + // the recipient has never sent an email to the org + and all(recipients.to, + .email.domain.domain not in $org_domains + // ensure the recipient domain has never send/received an email to/from the org + and ( + ( + .email.domain.domain not in $sender_domains + and .email.domain.root_domain not in $sender_domains + and .email.domain.domain not in $recipient_domains + and .email.domain.root_domain not in $recipient_domains + ) + or .email.domain.root_domain in ("onmicrosoft.com") + ) + ) + + + // check the return path to ensure it's not related to our sender or the mailbox at all + and not strings.iends_with(headers.return_path.local_part, + strings.concat('@', sender.email.domain.domain) + ) + and not strings.icontains(headers.return_path.local_part, + mailbox.email.local_part + ) + + // not an inbox rule or automatic forward from a Microsoft Account + and not any(headers.hops, + any(.fields, + .name in ( + 'X-MS-Exchange-ForwardingLoop', + 'X-MS-Exchange-Inbox-Rules-Loop' + ) + ) + ) +attack_types: + - "Callback Phishing" +tactics_and_techniques: + - "Evasion" + - "Social engineering" +detection_methods: + - "Header analysis" + - "Sender analysis" +id: "8f4bc148-a6b3-5dc4-9d2b-893c38c86c48" +testing_pr: 2243 +testing_sha: 75dbfd72d918ad1d1f780cf40e1f4e3c49d456d9