[PR #3737] added rule: Reconnaissance: Large unknown recipient list

github-actions[bot] · github-actions[bot] · commit b36219856c12 · 2026-01-06T16:48:13.000Z
diff --git a/detection-rules/3737_recon_large_recipients_unknown.yml b/detection-rules/3737_recon_large_recipients_unknown.yml
@@ -0,0 +1,95 @@
+name: "Reconnaissance: Large unknown recipient list"
+description: |
+  Recon messages, a form of deliverability testing, are used to validate whether a recipient address is valid or not, potentially preceding an attack.
+
+  There's a large number of recipients that are unknown to the organization, no links or attachments, and a short body and subject from an unknown sender.
+type: "rule"
+severity: "low"
+source: |
+ type.inbound
+  and (
+    length(recipients.to) > 10
+    and length(filter(recipients.to,
+                      .email.domain.domain not in $org_domains
+                      and .email.email not in $recipient_emails
+                      and (
+                        .email.domain.valid
+                        or strings.icontains(.display_name, "undisclosed")
+                      )
+               )
+    ) >= 10
+  )
+  and (
+    length(subject.subject) <= 10
+    or subject.subject == body.current_thread.text
+    or (subject.is_reply and length(body.previous_threads) == 0)
+  )
+  or not (
+    length(subject.subject) <= 10
+    or subject.subject == body.current_thread.text
+    or (subject.is_reply and length(body.previous_threads) == 0)
+  )
+  and (
+    length(body.links) == 0
+    or length(filter(body.links,
+                     (
+                       .display_text is null
+                       and .display_url.url == sender.email.domain.root_domain
+                     )
+                     or .href_url.domain.domain == "aka.ms"
+                     or network.whois(.display_url.domain).days_old < 30
+              )
+    ) == length(body.links)
+  )
+  and (
+    length(attachments) == 0
+    or (
+      length(attachments) == 1
+      and any(attachments,
+              .file_type in ("pdf", "png", "jpg", "tif", "heif", "doc", "docx")
+              and any(file.explode(.),
+                      length(.scan.ocr.raw) < 20
+                      or length(.scan.strings.strings) == 1
+              )
+      )
+    )
+  )
+  and (
+    body.current_thread.text is null
+    or length(body.current_thread.text) < 50
+    // body length without disclaimer is shorter than 50 characters
+    or (
+      any(map(filter(ml.nlu_classifier(body.current_thread.text).entities,
+                     .name == "disclaimer"
+              ),
+              .text
+          ),
+          (length(body.current_thread.text) - length(.)) < 50
+      )
+    )
+  )
+  and profile.by_sender().prevalence != "common"
+  and not profile.by_sender().solicited
+  and not profile.by_sender().any_messages_benign
+  
+  // negate highly trusted sender domains unless they fail DMARC authentication
+  and (
+    (
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
+      and not headers.auth_summary.dmarc.pass
+    )
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
+  )
+tags:
+  - "Attack surface reduction"
+  - "Deliverability testing"
+attack_types:
+  - "Reconnaissance"
+detection_methods:
+  - "Content analysis"
+  - "Header analysis"
+  - "Sender analysis"
+id: "436c0821-b70c-53ba-aa73-e177a69309bb"
+og_id: "24783a28-b6e2-5cca-9f6d-19c2cdfa6a9a"
+testing_pr: 3737
+testing_sha: 62dfb5c7d8b69d7a7017482d24b027a86d0e774c
