Reconnaissance: All recipients cc/bcc'd or undisclosed

calendar Dec 2, 2025 · Attack surface reduction Deliverability testing  ·
Share on: linkedin copy

Recon messages, a form of deliverability testing, are used to validate whether a recipient address is valid or not, potentially preceding an attack.

All recipients are bcc'd or undisclosed, with no links or attachments, and a short body and subject from an unknown sender.

Sublime rule (View on GitHub)

 1name: "Reconnaissance: All recipients cc/bcc'd or undisclosed"
 2description: |
 3  Recon messages, a form of deliverability testing, are used to validate whether a recipient address is valid or not, potentially preceding an attack.
 4
 5  All recipients are bcc'd or undisclosed, with no links or attachments, and a short body and subject from an unknown sender.  
 6type: "rule"
 7severity: "low"
 8source: |
 9  type.inbound
10  and (
11    length(recipients.bcc) > 0
12    or length(recipients.cc) > 0
13    or any(recipients.to, strings.ilike(.display_name, "undisclosed?recipients"))
14  )
15  and (
16    length(subject.base) <= 10
17    or (
18      strings.ilike(subject.base, "*checking*", "*testing*")
19      and length(subject.base) <= 25
20    )
21  )
22  and length(attachments) == 0
23  // and there are no links. Or all the links are to aka.ms or an extraction from a warning banner that match the senders domain
24  and (
25    length(body.links) == 0
26    or length(filter(body.links,
27                     (
28                       .display_text is null
29                       and .display_url.url == sender.email.domain.root_domain
30                     )
31                     or .href_url.domain.domain == "aka.ms"
32              )
33    ) == length(body.links)
34  )
35  and (
36    body.current_thread.text is null
37    or length(body.current_thread.text) < 50
38    or (
39      length(body.current_thread.text) < 900
40      // or body is most likely all warning banner ending with a generic greeting
41      and regex.imatch(body.current_thread.text, '.*(hi|hello)')
42    )
43    // body length without disclaimer is shorter than 50 characters
44    or (
45      any(map(filter(ml.nlu_classifier(body.current_thread.text).entities,
46                     .name == "disclaimer"
47              ),
48              .text
49          ),
50          (length(body.current_thread.text) - length(.)) < 50
51      )
52    )
53    // matching nlu_classifier 'bec' to smaller messages less than 200
54    or (
55          any(ml.nlu_classifier(body.current_thread.text).intents,
56              .name == "bec" and .confidence in ("high", "medium")
57      )
58      and length(body.current_thread.text) < 200
59      and not regex.icontains(body.html.raw, '(?:<div data-smartmail=|gmail_signature(?:_[^"]*)?)') // not condition to exclude smaller messages with a legitimate email signature
60      and length(body.previous_threads) == 0 // excluding messages with simple responses to other threads
61    )
62  )
63  and profile.by_sender().prevalence != "common"
64  and not profile.by_sender().solicited
65  and not profile.by_sender().any_messages_benign
66  
67  // negate highly trusted sender domains unless they fail DMARC authentication
68  and (
69    (
70      sender.email.domain.root_domain in $high_trust_sender_root_domains
71      and not headers.auth_summary.dmarc.pass
72    )
73    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
74  )  
75
76tags:
77  - "Attack surface reduction"
78  - "Deliverability testing"
79attack_types:
80  - "Reconnaissance"
81detection_methods:
82  - "Content analysis"
83  - "Header analysis"
84  - "Sender analysis"
85id: "420f60d3-5d10-5384-9253-9521a758e799"

Related rules

to-top