Domain Impersonation: Freemail ReplyTo_Local Lookalike with Financial Request
This technique takes advantage of the use of free email services for the reply-to address. By incorporating the sender domain in the local part of the reply-to address, the attacker creates a visually similar appearance to a legitimate email address.
Sublime rule (View on GitHub)
1name: "Domain Impersonation: Freemail ReplyTo_Local Lookalike with Financial Request"
2description: |
3 This technique takes advantage of the use of free email services for the reply-to address.
4 By incorporating the sender domain in the local part of the reply-to address, the attacker
5 creates a visually similar appearance to a legitimate email address.
6type: "rule"
7severity: "medium"
8source: |
9 type.inbound
10 and any(headers.reply_to,
11 .email.email != sender.email.email
12 and .email.domain.domain in $free_email_providers
13 and .email.email not in $sender_emails
14 and strings.contains(.email.local_part, sender.email.domain.sld)
15 )
16 and (
17 any(ml.nlu_classifier(body.current_thread.text).intents, .name == "bec" and .confidence in ("medium", "high"))
18 or (
19 any(ml.nlu_classifier(body.current_thread.text).entities, .name == "financial")
20 and any(ml.nlu_classifier(body.current_thread.text).entities, .name == "request")
21 and any(ml.nlu_classifier(body.current_thread.text).entities, .name == "urgency")
22 and any(ml.nlu_classifier(body.current_thread.text).entities, .name == "sender")
23 and any(ml.nlu_classifier(body.current_thread.text).intents, .name != "benign")
24 )
25 )
26attack_types:
27 - "Credential Phishing"
28tactics_and_techniques:
29 - "Free email provider"
30 - "Social engineering"
31detection_methods:
32 - "Content analysis"
33 - "Header analysis"
34 - "Natural Language Understanding"
35 - "Sender analysis"
36id: "43026a40-4285-51a7-a42e-f08b9ee41b97"