Reconnaissance: Empty message from uncommon sender

calendar Feb 25, 2026 · Attack surface reduction  ·
Share on: linkedin copy

Detects incoming messages that are completely empty, containing no subject line, message body content, or file attachments. Such messages may be used for reconnaissance, delivery confirmation, or as part of multi-stage attacks.

Sublime rule (View on GitHub)

 1name: "Reconnaissance: Empty message from uncommon sender"
 2description: "Detects incoming messages that are completely empty, containing no subject line, message body content, or file attachments. Such messages may be used for reconnaissance, delivery confirmation, or as part of multi-stage attacks."
 3type: "rule"
 4severity: "low"
 5source: |
 6  type.inbound
 7  and subject.base == ""
 8  and (
 9    body.plain.raw is null
10    or body.plain.raw == ""
11    or regex.imatch(body.plain.raw, '^\s*$')
12  )
13  and (
14    body.html.raw is null
15    or body.html.raw == ""
16    or regex.imatch(body.html.raw, '^\s*$')
17  )
18  and length(attachments) == 0
19  and profile.by_sender().prevalence != "common"  
20tags:
21  - "Attack surface reduction"
22attack_types:
23  - "Spam"
24tactics_and_techniques:
25  - "Evasion"
26  - "Social engineering"
27detection_methods:
28  - "Content analysis"
29  - "Header analysis"
30id: "b347cdbc-a0ee-5901-b61e-356d6ea49d6d"

Related rules

to-top