Domain Impersonation: Freemail ReplyTo_Local Lookalike with Financial Request

This technique takes advantage of the use of free email services for the reply-to address. By incorporating the sender domain in the local part of the reply-to address, the attacker creates a visually similar appearance to a legitimate email address.

Sublime rule (View on GitHub)

 1name: "Domain Impersonation: Freemail ReplyTo_Local Lookalike with Financial Request"
 2description: |
 3  This technique takes advantage of the use of free email services for the reply-to address.
 4  By incorporating the sender domain in the local part of the reply-to address, the attacker
 5  creates a visually similar appearance to a legitimate email address.  
 6type: "rule"
 7severity: "medium"
 8source: |
 9  type.inbound
10  and any(headers.reply_to,
11          .email.email != sender.email.email
12          and .email.domain.domain in $free_email_providers
13          and .email.email not in $sender_emails
14          and strings.contains(.email.local_part, sender.email.domain.sld)
15  )
16  and (
17    any(ml.nlu_classifier(body.current_thread.text).intents, .name == "bec" and .confidence in ("medium", "high"))
18        or (
19          any(ml.nlu_classifier(body.current_thread.text).entities, .name == "financial")
20          and any(ml.nlu_classifier(body.current_thread.text).entities, .name == "request")
21          and any(ml.nlu_classifier(body.current_thread.text).entities, .name == "urgency")
22          and any(ml.nlu_classifier(body.current_thread.text).entities, .name == "sender")
23          and any(ml.nlu_classifier(body.current_thread.text).intents, .name != "benign")
24        )
25  )  
26attack_types:
27  - "Credential Phishing"
28tactics_and_techniques:
29  - "Free email provider"
30  - "Social engineering"
31detection_methods:
32  - "Content analysis"
33  - "Header analysis"
34  - "Natural Language Understanding"
35  - "Sender analysis"
36id: "43026a40-4285-51a7-a42e-f08b9ee41b97"
to-top