Fake Message Thread - Untrusted Sender with a Mismatched Freemail Reply-To Address
Fake Message Threads or Chain Reuse is a common confidence technique exploited by threat actors to bolster credibility. This is typically used in conjunction with a reply-to address that is not the same as the sender address.
Sublime rule (View on GitHub)
1name: "Fake Message Thread - Untrusted Sender with a Mismatched Freemail Reply-To Address"
2description: |
3 Fake Message Threads or Chain Reuse is a common confidence technique exploited by threat actors to bolster credibility.
4 This is typically used in conjunction with a reply-to address that is not the same as the sender address.
5references:
6 - "https://playground.sublimesecurity.com?id=5ab9a225-4de3-494f-9a55-e16ec9e1e5c3"
7type: "rule"
8severity: "medium"
9source: |
10 type.inbound
11 and (
12 (
13 profile.by_sender_email().prevalence in ("new", "outlier")
14 and not profile.by_sender().solicited
15 )
16 or (
17 profile.by_sender().any_messages_malicious_or_spam
18 and not profile.by_sender().any_false_positives
19 )
20 )
21
22 // Reply-to is a freemail sender but From is not
23 and any(headers.reply_to,
24 .email.domain.domain in $free_email_providers
25 and not .email.domain.domain == sender.email.domain.domain
26 )
27
28 // Exclude marketing emails
29 and not strings.ilike(sender.email.local_part,
30 "support",
31 "sales",
32 "noreply",
33 "marketing"
34 )
35
36 // Exclude mailing lists
37 and not any(headers.hops,
38 any(.fields,
39 .name in (
40 "x-google-group-id",
41 "list-post",
42 "mailing-list"
43 )
44 )
45 )
46
47 // Check for Message Thread Indicators
48 and (
49 regex.icontains(subject.subject, '\b(?:RE|FWD?)\s*:')
50 or any([body.current_thread.text, body.html.display_text, body.plain.raw],
51 3 of (
52 strings.icontains(., "from:"),
53 strings.icontains(., "to:"),
54 strings.icontains(., "sent:"),
55 strings.icontains(., "date:"),
56 strings.icontains(., "cc:"),
57 strings.icontains(., "subject:")
58 )
59 )
60 )
61
62 // Check for the Presence of References or In-Reply-To properties
63 and (length(headers.references) == 0 or headers.in_reply_to is null)
64attack_types:
65 - "BEC/Fraud"
66tactics_and_techniques:
67 - "Free email provider"
68 - "Social engineering"
69detection_methods:
70 - "Content analysis"
71 - "Header analysis"
72 - "Sender analysis"
73id: "ca64e819-576b-574a-abcc-63f1916e8a41"