BEC with unusual Reply-to or Return-path mismatch

Detects an unusual header mismatch where the sender is not a freemail address, but the reply-to or return-path are. NLU also detects a BEC intent with medium or high confidence.

Sublime rule (View on GitHub)

 1name: "BEC with unusual Reply-to or Return-path mismatch"
 2description: "Detects an unusual header mismatch where the sender is not a freemail address, but the reply-to or return-path are. NLU also detects a BEC intent with medium or high confidence."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and any(ml.nlu_classifier(body.current_thread.text).intents,
 8          .name in ("bec") and .confidence == "high"
 9  )
10  and (
11    headers.return_path.domain.root_domain in $free_email_providers
12    or (
13      length(headers.reply_to) > 0
14      and all(headers.reply_to, .email.domain.root_domain in $free_email_providers)
15    )
16  )
17  and not (
18    sender.email.domain.root_domain == "paypal.com"
19    and any(distinct(headers.hops, .authentication_results.dmarc is not null),
20            strings.ilike(.authentication_results.dmarc, "*pass")
21    )
22  )
23  and sender.email.domain.root_domain not in $free_email_providers
24  
25  // negate gmail autoforwards and null return paths
26  and (
27    headers.return_path.email is null
28    or not any([headers.return_path.email], strings.ilike(headers.return_path.local_part, "*+caf_=*"))
29  )
30  
31  // negate listservs
32  and not (
33    any(headers.hops, any(.fields, .name == "List-Unsubscribe"))
34    and strings.contains(sender.display_name, "via")
35  )
36  
37  // negate legit replies
38  and not (
39    length(headers.references) > 0
40    or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
41  )  
42attack_types:
43  - "BEC/Fraud"
44tactics_and_techniques:
45  - "Evasion"
46  - "Free email provider"
47  - "Social engineering"
48detection_methods:
49  - "Content analysis"
50  - "Header analysis"
51  - "Natural Language Understanding"
52  - "Sender analysis"
53id: "83e5e2df-7049-5990-b20d-1ff6bc6fd6f0"
to-top