Fake Message Thread - First Time Sender with a Mismatched Freemail Reply-To Address
Fake Message Threads or Chain Reuse is a common confidence technique exploited by threat actors to bolster credibility. This is typically used in conjunction with a reply-to address that is not the same as the sender address.
Sublime rule (View on GitHub)
1name: "Fake Message Thread - First Time Sender with a Mismatched Freemail Reply-To Address"
2description: |
3 Fake Message Threads or Chain Reuse is a common confidence technique exploited by threat actors to bolster credibility.
4 This is typically used in conjunction with a reply-to address that is not the same as the sender address.
5references:
6 - "https://playground.sublimesecurity.com?id=5ab9a225-4de3-494f-9a55-e16ec9e1e5c3"
7type: "rule"
8severity: "medium"
9source: |
10 type.inbound
11 and (
12 (
13 profile.by_sender().prevalence in ("new", "outlier")
14 and not profile.by_sender().solicited
15 )
16 or (
17 profile.by_sender().any_messages_malicious_or_spam
18 and not profile.by_sender().any_false_positives
19 )
20 )
21
22 // Reply-to is a freemail sender but From is not
23 and any(headers.reply_to,
24 .email.domain.domain in $free_email_providers
25 and not .email.domain.domain == sender.email.domain.domain
26 )
27
28 // Exclude marketing emails
29 and not strings.ilike(sender.email.local_part, "support", "sales", "noreply", "marketing")
30
31 // Check for Message Thread Indicators
32 and (
33 strings.istarts_with(subject.subject, "RE:")
34 or any([body.plain.raw, body.html.display_text],
35 regex.icontains(.,
36 "From:[ a-z0-9<>_@\\.]{0,80}Sent:[ a-z0-9<>_@\\.:]{0,40}To:[ a-z0-9<>_@\\.;]{0,300}(Cc:)?.{0,300}Subject:"
37 )
38 )
39 )
40
41 // Check for the Presence of References or In-Reply-To properties
42 and (
43 length(headers.references) == 0
44 or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
45 )
46attack_types:
47 - "BEC/Fraud"
48tactics_and_techniques:
49 - "Free email provider"
50 - "Social engineering"
51detection_methods:
52 - "Content analysis"
53 - "Header analysis"
54 - "Sender analysis"
55id: "ca64e819-576b-574a-abcc-63f1916e8a41"