BEC/Fraud: Reply-chain manipulation with urgent keywords and self-reply

calendar Mar 11, 2026  ·
Share on: linkedin copy

Detects suspicious reply messages with urgent language in sender name or email address, minimal body content, and the sender's email address appearing in previous thread content, indicating a self reply.

Sublime rule (View on GitHub)

 1name: "BEC/Fraud: Reply-chain manipulation with urgent keywords and self-reply"
 2description: "Detects suspicious reply messages with urgent language in sender name or email address, minimal body content, and the sender's email address appearing in previous thread content, indicating a self reply."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and subject.is_reply
 8  and length(attachments) == 0
 9  // short current thread
10  and length(body.current_thread.text) < 25
11  // only 1 previous thread
12  and length(body.previous_threads) == 1
13  and any(recipients.to,
14          .email.domain.root_domain != sender.email.domain.root_domain
15  )
16  // urgent or authority based keywords in sender display name or local part
17  and (
18    regex.icontains(sender.display_name,
19                    '\b(?:(?:crucial|urgent|immediate|important|quick)(?:ly)?|immediatetask|emergency)\b'
20    )
21    or regex.icontains(sender.email.local_part, '(?:task|ceo|executive)')
22  )
23  // sender replied to themselves
24  and any(body.previous_threads, strings.icontains(.preamble, sender.email.email))  
25
26attack_types:
27  - "BEC/Fraud"
28tactics_and_techniques:
29  - "Social engineering"
30  - "Evasion"
31detection_methods:
32  - "Content analysis"
33  - "Header analysis"
34  - "Sender analysis"
35id: "1754260a-3ac4-5825-a04f-93062fe4c885"
to-top