Sync from PR#2194

Create impersonation_sender_local_part_org_sld.yml by @zoomequipd
#2194
Source SHA 4878c84
Triggered by @zoomequipd

detection-rules/impersonation_sender_local_part_org_sld.yml

@@ -0,0 +1,42 @@
+name: "Organization Domain Impersonation From New Sender"
+description: "Detects when an external sender uses the organization's domain as part of the sender's email address while sending links or attachments. The sender must be new or unusual, and either lacks prior reputation or has been previously flagged without false positives."
+type: "rule"
+severity: "low"
+source: |
+  type.inbound
+  // contains a link or attachment
+  and (length(attachments) > 0 or length(body.links) > 0)
+  // has a recipient in the To field
+  and length(recipients.to) > 0
+  // all the recipients are witihn the $org_domains
+  and all(recipients.to, .email.domain.domain in $org_domains)
+  // sender is not within the org_domain
+  and sender.email.domain.root_domain not in $org_domains
+  // the local part of the sender contains an SLD of the org
+  and any($org_slds,
+          // length check avoids FPs on short SLDs
+          length(.) > 3 and strings.icontains(sender.email.local_part, .)
+  )
+
+  and (
+    // the sender prevalence is new / outlier
+    profile.by_sender().prevalence in ("new", "outlier")
+    // or it's been flagged malicious/spam with now FPs
+    or (
+      profile.by_sender().any_messages_malicious_or_spam
+      and not profile.by_sender().any_false_positives
+    )
+  )
+tags:
+  - "Attack surface reduction"
+attack_types:
+  - "BEC/Fraud"
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Impersonation: Brand"
+detection_methods:
+  - "Sender analysis"
+  - "Header analysis"
+id: "3c9c25ed-69cc-5764-b6bc-7e2aecb8fdb8"
+testing_pr: 2194
+testing_sha: 4878c84ade2d393c30e40ddff17c1a9ffb0ae8df