Reconnaissance: Hotel booking reply-to redirect

calendar Jan 27, 2026  ·
Share on: linkedin copy

Detects messages impersonating hotel booking inquiries by identifying common hotel-related language patterns from senders where the reply-to is a free email provider and differs from the sender domain in an effort to validate whether a recipient address is valid or not, potentially preceding an attack.

Sublime rule (View on GitHub)

 1name: "Reconnaissance: Hotel booking reply-to redirect"
 2description: "Detects messages impersonating hotel booking inquiries by identifying common hotel-related language patterns from senders where the reply-to is a free email provider and differs from the sender domain in an effort to validate whether a recipient address is valid or not, potentially preceding an attack."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(headers.reply_to,
 8          .email.domain.root_domain in $free_email_providers
 9          and .email.domain.root_domain != sender.email.domain.root_domain
10  )
11  and all(recipients.to,
12          .email.domain.root_domain != sender.email.domain.root_domain
13  )
14  and length(body.links) == 0
15  and length(attachments) == 0
16  and length(body.current_thread.text) < 600
17  and not (
18    (subject.is_reply or subject.is_forward)
19    and (length(headers.references) > 0 or headers.in_reply_to is not null)
20  )
21  and (
22    (
23      strings.ilike(body.current_thread.text,
24                    '*hotel*',
25                    '*your property*',
26                    '*accommodation*',
27                    '*guest services*',
28                    '*reception*',
29                    '*front desk*'
30      )
31      and strings.ilike(body.current_thread.text,
32                        '*booking*',
33                        '*to book*',
34                        '*book a *',
35                        '*reserv*',
36                        '*room*',
37                        '*suite*',
38                        '*availability*',
39                        '*check-in*',
40                        '*available dates*',
41                        '*family trip*',
42                        '*deluxe accommodation*',
43                        '*two children*',
44                        '*hotel manager*'
45      )
46    )
47    or strings.ilike(subject.base,
48                     '*hotel*',
49                     '*room reserv*',
50                     '*room inquiry*',
51                     '*room availability*',
52                     '*suite*',
53                     '*accommodation*'
54    )
55  )  
56attack_types:
57  - "BEC/Fraud"
58tactics_and_techniques:
59  - "Free email provider"
60  - "Social engineering"
61detection_methods:
62  - "Content analysis"
63  - "Header analysis"
64  - "Sender analysis"
65id: "08c36035-dc50-5169-808c-c8a6d2f64932"
to-top