Business Email Compromise (BEC) attempt with masked recipients and reply-to mismatch (unsolicited)

calendar Feb 23, 2024  ·
Share on: linkedin copy

This rule detects unsolicited messages where the recipient matches the sender address and no other recipients are identified. The reply-to address does not match the sender, and is a freemail with no links in the body. This a common combination of techniques used by low level BEC threats.

Sublime rule (View on GitHub)

 1name: "Business Email Compromise (BEC) attempt with masked recipients and reply-to mismatch (unsolicited)"
 2description: |
 3  This rule detects unsolicited messages where the recipient matches the sender address and no other recipients are identified.
 4  The reply-to address does not match the sender, and is a freemail with no links in the body.
 5  This a common combination of techniques used by low level BEC threats.   
 6type: "rule"
 7severity: "medium"
 8source: |
 9  type.inbound
10  and any(recipients.to, .email.email == sender.email.email)
11  and length(recipients.cc) == 0
12  and length(recipients.bcc) == 0
13  and length(body.links) == 0
14  and any(headers.reply_to,
15          .email.domain.domain in $free_email_providers
16          and not .email.domain.domain == sender.email.domain.domain
17  )
18  and (
19    not profile.by_sender().solicited
20    or (
21      profile.by_sender().any_messages_malicious_or_spam
22      and not profile.by_sender().any_false_positives
23    )
24  )  
25attack_types:
26  - "BEC/Fraud"
27tactics_and_techniques:
28  - "Evasion"
29  - "Free email provider"
30detection_methods:
31  - "Header analysis"
32  - "Sender analysis"
33id: "682191bf-a623-5f03-a497-9b8590535697"
to-top