Domain Impersonation: Freemail ReplyTo_Local Lookalike with Financial Request

 1name: "Domain Impersonation: Freemail ReplyTo_Local Lookalike with Financial Request"
 2description: |
 3  This technique takes advantage of the use of free email services for the reply-to address.
 4  By incorporating the sender domain in the local part of the reply-to address, the attacker
 5  creates a visually similar appearance to a legitimate email address.  
 6type: "rule"
 7severity: "medium"
 8source: |
 9  type.inbound
10  and any(headers.reply_to,
11          .email.email != sender.email.email
12          and .email.domain.domain in $free_email_providers
13          and .email.email not in $sender_emails
14          and strings.contains(.email.local_part, sender.email.domain.sld)
15  )
16  and any([body.plain.raw, body.html.inner_text],
17          any(ml.nlu_classifier(.).intents, .name == "bec" and .confidence in ("medium", "high"))
18          or (
19            any(ml.nlu_classifier(.).entities, .name == "financial")
20            and any(ml.nlu_classifier(.).entities, .name == "request")
21            and any(ml.nlu_classifier(.).entities, .name == "urgency")
22            and any(ml.nlu_classifier(.).entities, .name == "sender")
23            and any(ml.nlu_classifier(.).intents, .name != "benign")
24          )
25  )  
26attack_types:
27  - "Credential Phishing"
28tactics_and_techniques:
29  - "Free email provider"
30  - "Social engineering"
31detection_methods:
32  - "Content analysis"
33  - "Header analysis"
34  - "Natural Language Understanding"
35  - "Sender analysis"
36id: "43026a40-4285-51a7-a42e-f08b9ee41b97"