Skip to content

Commit 0d10e2a

Browse files
[Test Rules] [PR #4566] added rule: Reconnaissance: Short generic greeting message
1 parent f7a9799 commit 0d10e2a

1 file changed

Lines changed: 88 additions & 0 deletions

File tree

Lines changed: 88 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,88 @@
1+
name: "Reconnaissance: Short generic greeting message"
2+
description: |
3+
Detects potential reconnaissance messages with very short, generic content like 'Hi' or 'Hello' from external senders. These messages are often used to validate email addresses and test deliverability before launching larger attacks.
4+
type: "rule"
5+
severity: "medium"
6+
source: |
7+
type.inbound
8+
// detect generic greetings
9+
and length(body.current_thread.text) <= 20
10+
and length(subject.base) <= 15
11+
// exclude messages with previous thread context (forwards/replies)
12+
and length(body.previous_threads) == 0
13+
and (
14+
any(ml.nlu_classifier(body.current_thread.text).entities, .name == "greeting")
15+
or strings.ilike(body.current_thread.text, "*hi*", "*hello*", "*hey*")
16+
or length(body.current_thread.text) <= 5
17+
or regex.match(body.current_thread.text, '\d+')
18+
)
19+
// external freemail sender
20+
and sender.email.domain.root_domain in $free_email_providers
21+
and sender.email.domain.root_domain not in (
22+
recipients.to[0].email.domain.root_domain
23+
)
24+
and (
25+
length(recipients.cc) == 0
26+
or (
27+
length(recipients.cc) > 0
28+
and all(recipients.cc,
29+
.email.domain.root_domain != sender.email.domain.root_domain
30+
)
31+
)
32+
)
33+
and (
34+
length(recipients.bcc) == 0
35+
or (
36+
length(recipients.bcc) > 0
37+
and all(recipients.bcc,
38+
.email.domain.root_domain != sender.email.domain.root_domain
39+
)
40+
)
41+
)
42+
// no attachments or links
43+
and length(attachments) == 0
44+
and length(body.current_thread.links) == 0
45+
46+
// not where the sender and mailbox display_anames indicate this might be a personal email --> work email
47+
// impersonation is covered by other core feed rules
48+
and not (
49+
sum([length(recipients.to), length(recipients.bcc), length(recipients.cc)]) == 1
50+
and strings.icontains(sender.display_name, mailbox.first_name)
51+
and strings.icontains(sender.display_name, mailbox.last_name)
52+
)
53+
and (
54+
// auth failed (or absent) - ignore the profile
55+
coalesce(headers.auth_summary.dmarc.pass, false) == false
56+
or coalesce(headers.auth_summary.spf.pass, false) == false
57+
// auth passed - use the profile
58+
or (
59+
// no benign messages
60+
not profile.by_sender_email().any_messages_benign
61+
and (
62+
// not soliticed OR common
63+
not (
64+
profile.by_sender_email().solicited
65+
or profile.by_sender_email().prevalence == "common"
66+
)
67+
// or HAS been spam_malicious
68+
or profile.by_sender_email().any_messages_malicious_or_spam
69+
)
70+
)
71+
)
72+
tags:
73+
- "Attack surface reduction"
74+
attack_types:
75+
- "BEC/Fraud"
76+
- "Callback Phishing"
77+
tactics_and_techniques:
78+
- "Social engineering"
79+
- "Free email provider"
80+
detection_methods:
81+
- "Content analysis"
82+
- "Header analysis"
83+
- "Natural Language Understanding"
84+
- "Sender analysis"
85+
id: "ae1d7431-e73a-5f82-bca4-6beb570879f9"
86+
og_id: "c67dedab-91f5-5bbe-af81-f9895a02c065"
87+
testing_pr: 4566
88+
testing_sha: ede71fcf8480c7b7799522b852a8b2e50dca1330

0 commit comments

Comments
 (0)