Fake Message Thread - First Time Sender with a Mismatched Freemail Reply-To Address

 1name: "Fake Message Thread - First Time Sender with a Mismatched Freemail Reply-To Address"
 2description: |
 3  Fake Message Threads or Chain Reuse is a common confidence technique exploited by threat actors to bolster credibility.
 4  This is typically used in conjunction with a reply-to address that is not the same as the sender address.   
 5references:
 6  - "https://playground.sublimesecurity.com?id=5ab9a225-4de3-494f-9a55-e16ec9e1e5c3"
 7type: "rule"
 8severity: "medium"
 9source: |
10  type.inbound
11  and (
12    (
13      profile.by_sender().prevalence in ("new", "outlier")
14      and not profile.by_sender().solicited
15    )
16    or (
17      profile.by_sender().any_messages_malicious_or_spam
18      and not profile.by_sender().any_false_positives
19    )
20  )
21
22  // Reply-to is a freemail sender but From is not
23  and any(headers.reply_to,
24          .email.domain.domain in $free_email_providers
25          and not .email.domain.domain == sender.email.domain.domain
26  )
27
28  // Exclude marketing emails
29  and not strings.ilike(sender.email.local_part, "support", "sales", "noreply", "marketing")
30
31  // Check for Message Thread Indicators
32  and (
33    strings.istarts_with(subject.subject, "RE:")
34    or any([body.plain.raw, body.html.display_text],
35           regex.icontains(.,
36                           "From:[ a-z0-9<>_@\\.]{0,80}Sent:[ a-z0-9<>_@\\.:]{0,40}To:[ a-z0-9<>_@\\.;]{0,300}(Cc:)?.{0,300}Subject:"
37           )
38    )
39  )
40
41  // Check for the Presence of References or In-Reply-To properties
42  and (
43    length(headers.references) == 0
44    or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
45  )  
46attack_types:
47  - "BEC/Fraud"
48tactics_and_techniques:
49  - "Free email provider"
50  - "Social engineering"
51detection_methods:
52  - "Content analysis"
53  - "Header analysis"
54  - "Sender analysis"
55id: "ca64e819-576b-574a-abcc-63f1916e8a41"