Generic Service Abuse From Newly Registered Domain

calendar Apr 15, 2025 · Attack surface reduction  ·
Share on: linkedin copy

Detects messages from services that write the true sender to the reply-to field, where the sender has no prior legitimate message history and is newly registered. Indicative of service abuse.

Sublime rule (View on GitHub)

 1name: "Generic Service Abuse From Newly Registered Domain"
 2description: "Detects messages from services that write the true sender to the reply-to field, where the sender has no prior legitimate message history and is newly registered. Indicative of service abuse."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and any(headers.reply_to, network.whois(.email.domain).days_old < 30)
 8  and sender.email.domain.domain in $replyto_service_domains
 9  // 
10  // This rule makes use of a beta feature and is subject to change without notice
11  // using the beta feature in custom rules is not suggested until it has been formally released
12  // 
13  and not beta.profile.by_reply_to().solicited
14  and not beta.profile.by_reply_to().any_messages_benign  
15
16tags:
17  - "Attack surface reduction"
18attack_types:
19  - "BEC/Fraud"
20  - "Callback Phishing"
21  - "Credential Phishing"
22tactics_and_techniques:
23  - "Evasion"
24  - "Social engineering"
25detection_methods:
26  - "Header analysis"
27  - "Sender analysis"
28  - "Whois"
29id: "0937b4c5-72d8-5efd-834f-c80ca8336f25"

Related rules

to-top