Reconnaissance: Email address harvesting attempt

calendar Feb 23, 2026 · Attack surface reduction  ·
Share on: linkedin copy

Detects potential email harvesting or credential phishing attempts where short messages contain email addresses in the body text. These messages often try to extract contact information or validate email addresses for future attacks.

Sublime rule (View on GitHub)

 1name: "Reconnaissance: Email address harvesting attempt"
 2description: |
 3    Detects potential email harvesting or credential phishing attempts where short messages contain email addresses in the body text. These messages often try to extract contact information or validate email addresses for future attacks.
 4type: "rule"
 5severity: "medium"
 6source: |
 7  type.inbound
 8  and length(subject.base) <= 15
 9  // detect email addresses in body text
10  and (
11    regex.imatch(body.current_thread.text,
12                 '[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}'
13    )
14  )
15  // external freemail sender
16  and sender.email.domain.root_domain in $free_email_providers
17  // no attachments but allow one link
18  and length(attachments) == 0
19  and length(body.current_thread.links) == 1  
20tags:
21 - "Attack surface reduction"
22attack_types:
23  - "BEC/Fraud"
24  - "Credential Phishing"
25  - "Spam"
26tactics_and_techniques:
27  - "Free email provider"
28  - "Social engineering"
29detection_methods:
30  - "Content analysis"
31  - "Header analysis"
32  - "Sender analysis"
33  - "URL analysis"
34id: "bb31efbc-e96d-5697-80ce-343881ee221f"

Related rules

to-top