Fake message thread - Untrusted sender with a mismatched freemail reply-to address

calendar Jan 12, 2026  ·
Share on: linkedin copy

Fake Message Threads or Chain Reuse is a common confidence technique exploited by threat actors to bolster credibility. This is typically used in conjunction with a reply-to address that is not the same as the sender address.

Sublime rule (View on GitHub)

 1name: "Fake message thread - Untrusted sender with a mismatched freemail reply-to address"
 2description: |
 3  Fake Message Threads or Chain Reuse is a common confidence technique exploited by threat actors to bolster credibility.
 4  This is typically used in conjunction with a reply-to address that is not the same as the sender address.   
 5references:
 6  - "https://playground.sublimesecurity.com?id=5ab9a225-4de3-494f-9a55-e16ec9e1e5c3"
 7type: "rule"
 8severity: "medium"
 9source: |
10  type.inbound
11  and (
12    (
13      profile.by_sender_email().prevalence in ("new", "outlier")
14      and not profile.by_sender().solicited
15    )
16    or (
17      profile.by_sender().any_messages_malicious_or_spam
18      and not profile.by_sender().any_messages_benign
19    )
20  )
21  
22  // Reply-to is a freemail sender but From is not
23  and any(headers.reply_to,
24          .email.domain.domain in $free_email_providers
25          and not .email.domain.domain == sender.email.domain.domain
26  )
27  
28  // Exclude marketing emails
29  and not strings.ilike(sender.email.local_part,
30                        "support",
31                        "sales",
32                        "noreply",
33                        "marketing"
34  )
35  
36  // Exclude mailing lists
37  and not any(headers.hops,
38              any(.fields,
39                  .name in ("x-google-group-id", "list-post", "mailing-list")
40              )
41  )
42  
43  // Check for Message Thread Indicators
44  and (
45    regex.icontains(subject.subject, '\b(?:RE|FWD?)\s*:')
46    or any([body.current_thread.text, body.html.display_text, body.plain.raw],
47           3 of (
48             strings.icontains(., "from:"),
49             strings.icontains(., "to:"),
50             strings.icontains(., "sent:"),
51             strings.icontains(., "date:"),
52             strings.icontains(., "cc:"),
53             strings.icontains(., "subject:")
54           )
55    )
56  )
57  
58  // Check for the Presence of References or In-Reply-To properties
59  and (length(headers.references) == 0 or headers.in_reply_to is null)  
60attack_types:
61  - "BEC/Fraud"
62tactics_and_techniques:
63  - "Free email provider"
64  - "Social engineering"
65detection_methods:
66  - "Content analysis"
67  - "Header analysis"
68  - "Sender analysis"
69id: "ca64e819-576b-574a-abcc-63f1916e8a41"
to-top