Fake Message Thread - Untrusted Sender with a Mismatched Freemail Reply-To Address

 1name: "Fake Message Thread - Untrusted Sender with a Mismatched Freemail Reply-To Address"
 2description: |
 3  Fake Message Threads or Chain Reuse is a common confidence technique exploited by threat actors to bolster credibility.
 4  This is typically used in conjunction with a reply-to address that is not the same as the sender address.   
 5references:
 6  - "https://playground.sublimesecurity.com?id=5ab9a225-4de3-494f-9a55-e16ec9e1e5c3"
 7type: "rule"
 8severity: "medium"
 9source: |
10  type.inbound
11  and (
12    (
13      profile.by_sender().prevalence in ("new", "outlier")
14      and not profile.by_sender().solicited
15    )
16    or (
17      profile.by_sender().any_messages_malicious_or_spam
18      and not profile.by_sender().any_false_positives
19    )
20  )
21
22  // Reply-to is a freemail sender but From is not
23  and any(headers.reply_to,
24          .email.domain.domain in $free_email_providers
25          and not .email.domain.domain == sender.email.domain.domain
26  )
27
28  // Exclude marketing emails
29  and not strings.ilike(sender.email.local_part, "support", "sales", "noreply", "marketing")
30
31  // Check for Message Thread Indicators
32  and (
33    strings.istarts_with(subject.subject, "RE:")
34    or regex.icontains(body.current_thread.text,
35                       "From:[ a-z0-9<>_@\\.]{0,80}Sent:[ a-z0-9<>_@\\.:]{0,40}To:[ a-z0-9<>_@\\.;]{0,300}(Cc:)?.{0,300}Subject:"
36    )
37  )
38
39  // Check for the Presence of References or In-Reply-To properties
40  and (
41    length(headers.references) == 0
42    or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
43  )  
44attack_types:
45  - "BEC/Fraud"
46tactics_and_techniques:
47  - "Free email provider"
48  - "Social engineering"
49detection_methods:
50  - "Content analysis"
51  - "Header analysis"
52  - "Sender analysis"
53id: "ca64e819-576b-574a-abcc-63f1916e8a41"