BEC with unusual reply-to or return-path mismatch

calendar Jun 5, 2026  ·
Share on: linkedin copy

Detects an unusual header mismatch where the sender is not a freemail address, but the reply-to or return-path are. NLU also detects a BEC intent with medium or high confidence.

Sublime rule (View on GitHub)

 1name: "BEC with unusual reply-to or return-path mismatch"
 2description: "Detects an unusual header mismatch where the sender is not a freemail address, but the reply-to or return-path are. NLU also detects a BEC intent with medium or high confidence."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and any(ml.nlu_classifier(body.current_thread.text).intents,
 8          .name in ("bec", "advance_fee") and .confidence == "high"
 9  )
10  and (
11    headers.return_path.domain.root_domain in $free_email_providers
12    or (
13      length(headers.reply_to) > 0
14      and all(headers.reply_to,
15              .email.domain.root_domain in $free_email_providers
16      )
17    )
18  )
19  and (
20    (
21      sender.email.domain.root_domain == "paypal.com"
22      and (
23        not headers.auth_summary.dmarc.pass
24        or headers.auth_summary.dmarc.pass is null
25      )
26    )
27    or sender.email.domain.root_domain is null
28    or sender.email.domain.root_domain != "paypal.com"
29  )
30  and sender.email.domain.root_domain not in $free_email_providers
31  
32  // negate gmail autoforwards and null return paths
33  and (
34    headers.return_path.email is null
35    or not strings.ilike(headers.return_path.local_part, "*+caf_=*")
36  )
37  
38  // negate listservs
39  and not (
40    any(headers.hops, any(.fields, .name == "List-Unsubscribe"))
41    and strings.contains(sender.display_name, "via")
42  )
43  
44  // negate legit replies
45  and not (length(headers.references) > 0 or headers.in_reply_to is not null)
46  
47  // legitimate quickbooks from known sender
48  and not (
49    sender.email.email == "quickbooks@notification.intuit.com"
50    and headers.auth_summary.spf.pass
51    and beta.profile.by_reply_to().prevalence in (
52      "outlier",
53      "uncommon",
54      "rare",
55      "common"
56    )
57  )  
58attack_types:
59  - "BEC/Fraud"
60tactics_and_techniques:
61  - "Evasion"
62  - "Free email provider"
63  - "Social engineering"
64detection_methods:
65  - "Content analysis"
66  - "Header analysis"
67  - "Natural Language Understanding"
68  - "Sender analysis"
69id: "83e5e2df-7049-5990-b20d-1ff6bc6fd6f0"
to-top