BEC with unusual reply-to or return-path mismatch

calendar Mar 3, 2026  ·
Share on: linkedin copy

Detects an unusual header mismatch where the sender is not a freemail address, but the reply-to or return-path are. NLU also detects a BEC intent with medium or high confidence.

Sublime rule (View on GitHub)

 1name: "BEC with unusual reply-to or return-path mismatch"
 2description: "Detects an unusual header mismatch where the sender is not a freemail address, but the reply-to or return-path are. NLU also detects a BEC intent with medium or high confidence."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and any(ml.nlu_classifier(body.current_thread.text).intents,
 8          .name in ("bec", "advance_fee") and .confidence == "high"
 9  )
10  and (
11    headers.return_path.domain.root_domain in $free_email_providers
12    or (
13      length(headers.reply_to) > 0
14      and all(headers.reply_to,
15              .email.domain.root_domain in $free_email_providers
16      )
17    )
18  )
19  and (
20    (
21      sender.email.domain.root_domain == "paypal.com"
22      and (
23        not headers.auth_summary.dmarc.pass
24        or headers.auth_summary.dmarc.pass is null
25      )
26    )
27    or sender.email.domain.root_domain is null
28    or sender.email.domain.root_domain != "paypal.com"
29  )
30  and sender.email.domain.root_domain not in $free_email_providers
31  
32  // negate gmail autoforwards and null return paths
33  and (
34    headers.return_path.email is null
35    or not strings.ilike(headers.return_path.local_part, "*+caf_=*")
36  )
37  
38  // negate listservs
39  and not (
40    any(headers.hops, any(.fields, .name == "List-Unsubscribe"))
41    and strings.contains(sender.display_name, "via")
42  )
43  
44  // negate legit replies
45  and not (
46    length(headers.references) > 0
47    or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
48  )
49  
50  // legitimate quickbooks from known sender
51  and not (
52    sender.email.email == "quickbooks@notification.intuit.com"
53    and headers.auth_summary.spf.pass
54    and beta.profile.by_reply_to().prevalence in (
55      "outlier",
56      "uncommon",
57      "rare",
58      "common"
59    )
60  )  
61
62attack_types:
63  - "BEC/Fraud"
64tactics_and_techniques:
65  - "Evasion"
66  - "Free email provider"
67  - "Social engineering"
68detection_methods:
69  - "Content analysis"
70  - "Header analysis"
71  - "Natural Language Understanding"
72  - "Sender analysis"
73id: "83e5e2df-7049-5990-b20d-1ff6bc6fd6f0"
to-top