Reconnaissance: Empty subject with mismatched reply-to from new sender

calendar Feb 6, 2026 · Attack surface reduction  ·
Share on: linkedin copy

Message with no subject line from a new sender where the reply-to address differs from the sender address, potentially indicating header manipulation or impersonation tactics.

Sublime rule (View on GitHub)

 1name: "Reconnaissance: Empty subject with mismatched reply-to from new sender"
 2description: "Message with no subject line from a new sender where the reply-to address differs from the sender address, potentially indicating header manipulation or impersonation tactics."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and profile.by_sender_email().prevalence == "new"
 8  and subject.base == ""
 9  and length(headers.reply_to) > 0
10  and sender.email.email not in map(headers.reply_to, .email.email)  
11tags:
12  - "Attack surface reduction"
13attack_types:
14  - "BEC/Fraud"
15  - "Credential Phishing"
16tactics_and_techniques:
17  - "Evasion"
18  - "Social engineering"
19  - "Spoofing"
20detection_methods:
21  - "Header analysis"
22  - "Sender analysis"
23id: "12f4bd45-a236-55c9-b16a-1bff6070e250"

Related rules

to-top