Headers: System account impersonation with empty sender address

calendar Jan 12, 2026  ·
Share on: linkedin copy

Detects messages with an empty sender email address and a display name impersonating system accounts like mailer-daemon, postmaster, or administrator, but lacking legitimate bounce back content as determined by natural language processing.

Sublime rule (View on GitHub)

 1name: "Headers: System account impersonation with empty sender address"
 2description: "Detects messages with an empty sender email address and a display name impersonating system accounts like mailer-daemon, postmaster, or administrator, but lacking legitimate bounce back content as determined by natural language processing."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and sender.email.email == ""
 8  and (
 9    strings.icontains(sender.display_name, "mailer-daemon")
10    or strings.icontains(sender.display_name, "postmaster")
11  )
12  and not (
13    (
14      any(ml.nlu_classifier(body.current_thread.text).topics,
15          .name == "Bounce Back and Delivery Failure Notifications"
16          and .confidence == "high"
17      )
18      or regex.icontains(subject.subject, 'Undeliver(?:ed|able)')
19      or regex.icontains(subject.subject,
20                         'Mensagem não entregue'
21      ) // portuguese bounce back variant 
22      or regex.icontains(subject.subject,
23                         '系统退信'
24      ) // chinese bounce back variant 
25    )
26  )  
27attack_types:
28  - "BEC/Fraud"
29  - "Credential Phishing"
30tactics_and_techniques:
31  - "Impersonation: Employee"
32  - "Social engineering"
33  - "Spoofing"
34detection_methods:
35  - "Header analysis"
36  - "Sender analysis"
37  - "Natural Language Understanding"
38id: "887f7953-9dbc-5582-a4b6-b5b79cce6744"
to-top