Fake Message Thread - Untrusted Sender with a Mismatched Freemail Reply-To Address

Fake Message Threads or Chain Reuse is a common confidence technique exploited by threat actors to bolster credibility. This is typically used in conjunction with a reply-to address that is not the same as the sender address.

Sublime rule (View on GitHub)

 1name: "Fake Message Thread - Untrusted Sender with a Mismatched Freemail Reply-To Address"
 2description: |
 3  Fake Message Threads or Chain Reuse is a common confidence technique exploited by threat actors to bolster credibility.
 4  This is typically used in conjunction with a reply-to address that is not the same as the sender address.   
 5references:
 6  - "https://playground.sublimesecurity.com?id=5ab9a225-4de3-494f-9a55-e16ec9e1e5c3"
 7type: "rule"
 8severity: "medium"
 9source: |
10  type.inbound
11  and (
12    (
13      profile.by_sender_email().prevalence in ("new", "outlier")
14      and not profile.by_sender().solicited
15    )
16    or (
17      profile.by_sender().any_messages_malicious_or_spam
18      and not profile.by_sender().any_false_positives
19    )
20  )
21  
22  // Reply-to is a freemail sender but From is not
23  and any(headers.reply_to,
24          .email.domain.domain in $free_email_providers
25          and not .email.domain.domain == sender.email.domain.domain
26  )
27  
28  // Exclude marketing emails
29  and not strings.ilike(sender.email.local_part,
30                        "support",
31                        "sales",
32                        "noreply",
33                        "marketing"
34  )
35  
36  // Exclude mailing lists
37  and not any(headers.hops,
38              any(.fields,
39                  .name in (
40                    "x-google-group-id",
41                    "list-post",
42                    "mailing-list"
43                  )
44              )
45  )
46  
47  // Check for Message Thread Indicators
48  and (
49    regex.icontains(subject.subject, '\b(?:RE|FWD?)\s*:')
50    or any([body.current_thread.text, body.html.display_text, body.plain.raw],
51           3 of (
52             strings.icontains(., "from:"),
53             strings.icontains(., "to:"),
54             strings.icontains(., "sent:"),
55             strings.icontains(., "date:"),
56             strings.icontains(., "cc:"),
57             strings.icontains(., "subject:")
58           )
59    )
60  )
61  
62  // Check for the Presence of References or In-Reply-To properties
63  and (length(headers.references) == 0 or headers.in_reply_to is null)  
64attack_types:
65  - "BEC/Fraud"
66tactics_and_techniques:
67  - "Free email provider"
68  - "Social engineering"
69detection_methods:
70  - "Content analysis"
71  - "Header analysis"
72  - "Sender analysis"
73id: "ca64e819-576b-574a-abcc-63f1916e8a41"
to-top