Reconnaissance: Short generic greeting message

Detects potential reconnaissance messages with very short, generic content like 'Hi' or 'Hello' from external senders. These messages are often used to validate email addresses and test deliverability before launching larger attacks.

Sublime rule (View on GitHub)

 1name: "Reconnaissance: Short generic greeting message"
 2description: |
 3    Detects potential reconnaissance messages with very short, generic content like 'Hi' or 'Hello' from external senders. These messages are often used to validate email addresses and test deliverability before launching larger attacks.
 4type: "rule"
 5severity: "medium"
 6source: |
 7  type.inbound
 8  and length(body.current_thread.text) <= 10
 9  and length(subject.base) <= 10
10  // detect generic greetings
11  and (
12    any(ml.nlu_classifier(body.current_thread.text).entities, .name == "greeting")
13    or strings.ilike(body.current_thread.text, "*hi*", "*hello*", "*hey*")
14    or length(body.current_thread.text) <= 5
15  )
16  // external freemail sender
17  and sender.email.domain.root_domain in $free_email_providers
18  and sender.email.domain.root_domain not in (
19    recipients.to[0].email.domain.root_domain
20  )
21  and (
22    length(recipients.cc) == 0
23    or (
24      length(recipients.cc) > 0
25      and all(recipients.cc,
26              .email.domain.root_domain != sender.email.domain.root_domain
27      )
28    )
29  )
30  and (
31    length(recipients.bcc) == 0
32    or (
33      length(recipients.bcc) > 0
34      and all(recipients.bcc,
35              .email.domain.root_domain != sender.email.domain.root_domain
36      )
37    )
38  )
39  // no attachments or links  
40  and length(attachments) == 0
41  and length(body.links) == 0
42  // negate sender profiles completely if auth is failing
43  and (
44    (
45      not (
46        headers.auth_summary.dmarc.pass == false
47        or headers.auth_summary.spf.pass == false
48      )
49      and (
50        not profile.by_sender().solicited
51        or (
52          profile.by_sender().any_messages_malicious_or_spam
53          and not profile.by_sender().any_false_positives
54        )
55      )
56      and not profile.by_sender().any_false_positives
57    )
58    or (
59      headers.auth_summary.dmarc.pass == false
60      or headers.auth_summary.spf.pass == false
61    )
62  )  
63
64tags:
65 - "Attack surface reduction"
66attack_types:
67  - "BEC/Fraud"
68  - "Callback Phishing"
69tactics_and_techniques:
70  - "Social engineering"
71  - "Free email provider"
72detection_methods:
73  - "Content analysis"
74  - "Header analysis"
75  - "Natural Language Understanding"
76  - "Sender analysis"
77id: "c67dedab-91f5-5bbe-af81-f9895a02c065"

Related rules

to-top