Newly registered sender or reply-to domain with newly registered linked domain

This rule detects inbound emails that contain links and a reply-to address, where either the sender domain or the reply-to domain is newly registered (≤30 days old), and at least one linked domain is also very new (≤14 days old). It flags potential phishing or business email compromise attempts that use recently created infrastructure and reply-to mismatch tactics to bypass trust and impersonate legitimate contacts.

Sublime rule (View on GitHub)

 1name: "Newly registered sender or reply-to domain with newly registered linked domain"
 2description: "This rule detects inbound emails that contain links and a reply-to address, where either the sender domain or the reply-to domain is newly registered (≤30 days old), and at least one linked domain is also very new (≤14 days old). It flags potential phishing or business email compromise attempts that use recently created infrastructure and reply-to mismatch tactics to bypass trust and impersonate legitimate contacts."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and length(body.links) > 0
 8  and length(headers.reply_to) > 0
 9  and (
10    any(headers.reply_to,
11        network.whois(.email.domain).days_old <= 30
12        and .email.email != sender.email.email
13    )
14    or network.whois(sender.email.domain).days_old <= 30
15  )
16  and any(distinct(body.links, .href_url.domain.root_domain),
17          network.whois(.href_url.domain).days_old < 14
18  )
19    
20tags:
21 - "Attack surface reduction"
22attack_types:
23  - "BEC/Fraud"
24  - "Credential Phishing"
25  - "Malware/Ransomware"
26tactics_and_techniques:
27  - "Social engineering"
28detection_methods:
29  - "Header analysis"
30  - "URL analysis"
31  - "Whois"
32id: "e5b6a81f-8587-585f-957a-712987ad9884"

Related rules

to-top