Newly registered sender or reply-to domain with newly registered linked domain
This rule detects inbound emails that contain links and a reply-to address, where either the sender domain or the reply-to domain is newly registered (≤30 days old), and at least one linked domain is also very new (≤14 days old). It flags potential phishing or business email compromise attempts that use recently created infrastructure and reply-to mismatch tactics to bypass trust and impersonate legitimate contacts.
Sublime rule (View on GitHub)
1name: "Newly registered sender or reply-to domain with newly registered linked domain"
2description: "This rule detects inbound emails that contain links and a reply-to address, where either the sender domain or the reply-to domain is newly registered (≤30 days old), and at least one linked domain is also very new (≤14 days old). It flags potential phishing or business email compromise attempts that use recently created infrastructure and reply-to mismatch tactics to bypass trust and impersonate legitimate contacts."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and length(body.links) > 0
8 and length(headers.reply_to) > 0
9 and (
10 any(headers.reply_to,
11 network.whois(.email.domain).days_old <= 30
12 and .email.email != sender.email.email
13 )
14 or network.whois(sender.email.domain).days_old <= 30
15 )
16 and any(distinct(body.links, .href_url.domain.root_domain),
17 network.whois(.href_url.domain).days_old < 14
18 )
19
20tags:
21 - "Attack surface reduction"
22attack_types:
23 - "BEC/Fraud"
24 - "Credential Phishing"
25 - "Malware/Ransomware"
26tactics_and_techniques:
27 - "Social engineering"
28detection_methods:
29 - "Header analysis"
30 - "URL analysis"
31 - "Whois"
32id: "e5b6a81f-8587-585f-957a-712987ad9884"