Fake Message Thread - Untrusted Sender with a Mismatched Freemail Reply-To Address

calendar Sep 11, 2024  ·
Share on: linkedin copy

Fake Message Threads or Chain Reuse is a common confidence technique exploited by threat actors to bolster credibility. This is typically used in conjunction with a reply-to address that is not the same as the sender address.

Sublime rule (View on GitHub)

 1name: "Fake Message Thread - Untrusted Sender with a Mismatched Freemail Reply-To Address"
 2description: |
 3  Fake Message Threads or Chain Reuse is a common confidence technique exploited by threat actors to bolster credibility.
 4  This is typically used in conjunction with a reply-to address that is not the same as the sender address.   
 5references:
 6  - "https://playground.sublimesecurity.com?id=5ab9a225-4de3-494f-9a55-e16ec9e1e5c3"
 7type: "rule"
 8severity: "medium"
 9source: |
10  type.inbound
11  and (
12    (
13      profile.by_sender_email().prevalence in ("new", "outlier")
14      and not profile.by_sender().solicited
15    )
16    or (
17      profile.by_sender().any_messages_malicious_or_spam
18      and not profile.by_sender().any_false_positives
19    )
20  )
21
22  // Reply-to is a freemail sender but From is not
23  and any(headers.reply_to,
24          .email.domain.domain in $free_email_providers
25          and not .email.domain.domain == sender.email.domain.domain
26  )
27
28  // Exclude marketing emails
29  and not strings.ilike(sender.email.local_part, "support", "sales", "noreply", "marketing")
30
31  // Check for Message Thread Indicators
32  and (
33    regex.icontains(subject.subject, '\b(?:RE|FWD?)\s*:')
34    or any([body.current_thread.text, body.html.display_text, body.plain.raw],
35           3 of (
36             strings.icontains(., "from:"),
37             strings.icontains(., "to:"),
38             strings.icontains(., "sent:"),
39             strings.icontains(., "date:"),
40             strings.icontains(., "cc:"),
41             strings.icontains(., "subject:")
42           )
43    )
44  )
45
46  // Check for the Presence of References or In-Reply-To properties
47  and (
48    length(headers.references) == 0
49    or headers.in_reply_to is null
50  )  
51attack_types:
52  - "BEC/Fraud"
53tactics_and_techniques:
54  - "Free email provider"
55  - "Social engineering"
56detection_methods:
57  - "Content analysis"
58  - "Header analysis"
59  - "Sender analysis"
60id: "ca64e819-576b-574a-abcc-63f1916e8a41"
to-top