Headers: Fake in-reply-to with wildcard sender and missing thread context

calendar Jan 23, 2026  ·
Share on: linkedin copy

Detects messages claiming to be replies with In-Reply-To headers but lacking previous thread context, sent from addresses containing multiple wildcard characters in the local part.

Sublime rule (View on GitHub)

 1name: "Headers: Fake in-reply-to with wildcard sender and missing thread context"
 2description: "Detects messages claiming to be replies with In-Reply-To headers but lacking previous thread context, sent from addresses containing multiple wildcard characters in the local part."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and headers.in_reply_to is not null
 8  and not (subject.is_forward or subject.is_reply)
 9  and length(body.previous_threads) == 0
10  and strings.count(sender.email.local_part, "*") >= 2  
11
12attack_types:
13  - "BEC/Fraud"
14  - "Credential Phishing"
15tactics_and_techniques:
16  - "Evasion"
17  - "Social engineering"
18  - "Spoofing"
19detection_methods:
20  - "Header analysis"
21  - "Sender analysis"
22  - "Content analysis"
23id: "89da670a-4b03-52f7-891c-48820bb2362a"
to-top