Headers: Invalid recipient domain with mismatched reply-to from new sender

calendar Nov 21, 2025 · Attack surface reduction  ·
Share on: linkedin copy

Message sent to an invalid recipient domain with a reply-to address that differs from the sender address, originating from a new sender.

Sublime rule (View on GitHub)

 1name: "Headers: Invalid recipient domain with mismatched reply-to from new sender"
 2description: "Message sent to an invalid recipient domain with a reply-to address that differs from the sender address, originating from a new sender."
 3type: "rule"
 4severity: "medium"
 5false_positives:
 6  - "Any sender that fails email authentication will trigger the prevalence logic. For recurring benign senders, apply sender exclusions to prevent unnecessary matches."
 7source: |
 8  type.inbound
 9  and length(recipients.to) <= 1
10  and all(recipients.to, .email.domain.valid == false)
11  and length(headers.reply_to) == 1
12  and headers.reply_to[0].email.domain.root_domain != sender.email.domain.root_domain
13  and profile.by_sender_email().prevalence == "new"  
14tags:
15  - "Attack surface reduction"
16attack_types:
17  - "BEC/Fraud"
18  - "Credential Phishing"
19  - "Spam"
20tactics_and_techniques:
21  - "Evasion"
22  - "Social engineering"
23detection_methods:
24  - "Header analysis"
25  - "Sender analysis"
26id: "f375ded1-a60e-58db-af3b-ef4983883196"

Related rules

to-top