Suspicious newly registered reply-to domain with engaging financial or urgent language

calendar May 6, 2026  ·
Share on: linkedin copy

Detects messages from a mismatched newly registered Reply-to domain that contain a financial or urgent request, or a request and an NLU tag with medium to high confidence, from an untrusted sender. This technique is typically observed in Vendor impersonation.

Sublime rule (View on GitHub)

 1name: "Suspicious newly registered reply-to domain with engaging financial or urgent language"
 2description: |
 3  Detects messages from a mismatched newly registered Reply-to domain that contain a financial or urgent request, or a request and 
 4  an NLU tag with medium to high confidence, from an untrusted sender. This technique is typically observed in Vendor impersonation.  
 5type: "rule"
 6severity: "medium"
 7source: |
 8  type.inbound
 9  and length(body.current_thread.text) < 5000
10  and (
11    any(headers.reply_to,
12        // mismatched reply-to and sender domain
13        .email.domain.root_domain != sender.email.domain.root_domain
14        // newly registered reply-to domain
15        and network.whois(.email.domain).days_old <= 30
16    )
17    or (
18      network.whois(sender.email.domain).days_old < 30
19      and sender.email.domain.tld in $suspicious_tlds
20    )
21  )
22  // request is being made
23  and any(ml.nlu_classifier(body.current_thread.text).entities,
24          .name == "request"
25  )
26  // there's financial/urgency OR a tag of medium/high confidence
27  and (
28    any(ml.nlu_classifier(body.current_thread.text).entities,
29        .name in ("financial", "urgency")
30    )
31    or any(ml.nlu_classifier(body.current_thread.text).tags,
32           .name is not null and .confidence in ("medium", "high")
33    )
34  )
35  and (
36    not profile.by_sender().solicited
37  
38    // 
39    // This rule makes use of a beta feature and is subject to change without notice
40    // using the beta feature in custom rules is not suggested until it has been formally released
41    // 
42    or not beta.profile.by_reply_to().solicited
43    or (
44      profile.by_sender().any_messages_malicious_or_spam
45      and not profile.by_sender().any_messages_benign
46    )
47  )
48  // negate highly trusted sender domains unless they fail DMARC authentication
49  and (
50    (
51      sender.email.domain.root_domain in $high_trust_sender_root_domains
52      and not headers.auth_summary.dmarc.pass
53    )
54    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
55  )  
56attack_types:
57  - "BEC/Fraud"
58tactics_and_techniques:
59  - "Social engineering"
60detection_methods:
61  - "Content analysis"
62  - "Header analysis"
63  - "Natural Language Understanding"
64  - "Sender analysis"
65  - "URL analysis"
66  - "Whois"
67id: "db4d9bb3-0eca-5525-9a99-7c1c773b580f"
to-top