BEC with unusual Reply-to or Return-path mismatch
Detects an unusual header mismatch where the sender is not a freemail address, but the reply-to or return-path are. NLU also detects a BEC intent with medium or high confidence.
Sublime rule (View on GitHub)
1name: "BEC with unusual Reply-to or Return-path mismatch"
2description: "Detects an unusual header mismatch where the sender is not a freemail address, but the reply-to or return-path are. NLU also detects a BEC intent with medium or high confidence."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and any(ml.nlu_classifier(body.current_thread.text).intents,
8 .name in ("bec") and .confidence == "high"
9 )
10 and (
11 headers.return_path.domain.root_domain in $free_email_providers
12 or (
13 length(headers.reply_to) > 0
14 and all(headers.reply_to, .email.domain.root_domain in $free_email_providers)
15 )
16 )
17 and not (
18 sender.email.domain.root_domain == "paypal.com"
19 and any(distinct(headers.hops, .authentication_results.dmarc is not null),
20 strings.ilike(.authentication_results.dmarc, "*pass")
21 )
22 )
23 and sender.email.domain.root_domain not in $free_email_providers
24
25 // negate gmail autoforwards and null return paths
26 and (
27 headers.return_path.email is null
28 or not any([headers.return_path.email], strings.ilike(headers.return_path.local_part, "*+caf_=*"))
29 )
30
31 // negate listservs
32 and not (
33 any(headers.hops, any(.fields, .name == "List-Unsubscribe"))
34 and strings.contains(sender.display_name, "via")
35 )
36
37 // negate legit replies
38 and not (
39 length(headers.references) > 0
40 or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
41 )
42attack_types:
43 - "BEC/Fraud"
44tactics_and_techniques:
45 - "Evasion"
46 - "Free email provider"
47 - "Social engineering"
48detection_methods:
49 - "Content analysis"
50 - "Header analysis"
51 - "Natural Language Understanding"
52 - "Sender analysis"
53id: "83e5e2df-7049-5990-b20d-1ff6bc6fd6f0"