Domain impersonation: Freemail reply-to local lookalike with financial request

 1name: "Domain impersonation: Freemail reply-to local lookalike with financial request"
 2description: |
 3  This technique takes advantage of the use of free email services for the reply-to address.
 4  By incorporating the sender domain in the local part of the reply-to address, the attacker
 5  creates a visually similar appearance to a legitimate email address.  
 6type: "rule"
 7severity: "medium"
 8source: |
 9  type.inbound
10  and any(headers.reply_to,
11          .email.email != sender.email.email
12          and .email.domain.domain in $free_email_providers
13          and .email.email not in $sender_emails
14          and strings.contains(.email.local_part, sender.email.domain.sld)
15  )
16  and (
17    any(ml.nlu_classifier(body.current_thread.text).intents,
18        .name == "bec" and .confidence in ("medium", "high")
19    )
20    or (
21      any(ml.nlu_classifier(body.current_thread.text).entities,
22          .name == "financial"
23      )
24      and any(ml.nlu_classifier(body.current_thread.text).entities,
25              .name == "request"
26      )
27      and any(ml.nlu_classifier(body.current_thread.text).entities,
28              .name == "urgency"
29      )
30      and any(ml.nlu_classifier(body.current_thread.text).entities,
31              .name == "sender"
32      )
33      and any(ml.nlu_classifier(body.current_thread.text).intents,
34              .name != "benign"
35      )
36    )
37  )  
38attack_types:
39  - "Credential Phishing"
40tactics_and_techniques:
41  - "Free email provider"
42  - "Social engineering"
43detection_methods:
44  - "Content analysis"
45  - "Header analysis"
46  - "Natural Language Understanding"
47  - "Sender analysis"
48id: "43026a40-4285-51a7-a42e-f08b9ee41b97"