BEC with unusual Reply-to or Return-path mismatch

 1name: "BEC with unusual Reply-to or Return-path mismatch"
 2description: "Detects an unusual header mismatch where the sender is not a freemail address, but the reply-to or return-path are. NLU also detects a BEC intent with medium or high confidence."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and any(ml.nlu_classifier(body.current_thread.text).intents,
 8          .name in ("bec") and .confidence == "high"
 9  )
10  and (
11    headers.return_path.domain.root_domain in $free_email_providers
12    or (
13      length(headers.reply_to) > 0
14      and all(headers.reply_to,
15              .email.domain.root_domain in $free_email_providers
16      )
17    )
18  )
19  and (
20    (
21      sender.email.domain.root_domain == "paypal.com"
22      and (
23        not headers.auth_summary.dmarc.pass
24        or headers.auth_summary.dmarc.pass is null
25      )
26    )
27    or sender.email.domain.root_domain is null
28    or sender.email.domain.root_domain != "paypal.com"
29  )
30  and sender.email.domain.root_domain not in $free_email_providers
31  
32  // negate gmail autoforwards and null return paths
33  and (
34    headers.return_path.email is null
35    or not strings.ilike(headers.return_path.local_part, "*+caf_=*")
36  )
37  
38  // negate listservs
39  and not (
40    any(headers.hops, any(.fields, .name == "List-Unsubscribe"))
41    and strings.contains(sender.display_name, "via")
42  )
43  
44  // negate legit replies
45  and not (
46    length(headers.references) > 0
47    or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
48  )  
49
50
51attack_types:
52  - "BEC/Fraud"
53tactics_and_techniques:
54  - "Evasion"
55  - "Free email provider"
56  - "Social engineering"
57detection_methods:
58  - "Content analysis"
59  - "Header analysis"
60  - "Natural Language Understanding"
61  - "Sender analysis"
62id: "83e5e2df-7049-5990-b20d-1ff6bc6fd6f0"