Reconnaissance: Short generic greeting message

calendar Jan 27, 2026 · Attack surface reduction  ·
Share on: linkedin copy

Detects potential reconnaissance messages with very short, generic content like 'Hi' or 'Hello' from external senders. These messages are often used to validate email addresses and test deliverability before launching larger attacks.

Sublime rule (View on GitHub)

 1name: "Reconnaissance: Short generic greeting message"
 2description: |
 3    Detects potential reconnaissance messages with very short, generic content like 'Hi' or 'Hello' from external senders. These messages are often used to validate email addresses and test deliverability before launching larger attacks.
 4type: "rule"
 5severity: "medium"
 6source: |
 7  type.inbound
 8  // detect generic greetings
 9  and length(body.current_thread.text) <= 20
10  and length(subject.base) <= 15
11  // exclude messages with previous thread context (forwards/replies)
12  and length(body.previous_threads) == 0
13  and (
14    any(ml.nlu_classifier(body.current_thread.text).entities, .name == "greeting")
15    or strings.ilike(body.current_thread.text, "*hi*", "*hello*", "*hey*")
16    or length(body.current_thread.text) <= 5
17    or regex.match(body.current_thread.text, '\d+')
18  )
19  // external freemail sender
20  and sender.email.domain.root_domain in $free_email_providers
21  and sender.email.domain.root_domain not in (
22    recipients.to[0].email.domain.root_domain
23  )
24  and (
25    length(recipients.cc) == 0
26    or (
27      length(recipients.cc) > 0
28      and all(recipients.cc,
29              .email.domain.root_domain != sender.email.domain.root_domain
30      )
31    )
32  )
33  and (
34    length(recipients.bcc) == 0
35    or (
36      length(recipients.bcc) > 0
37      and all(recipients.bcc,
38              .email.domain.root_domain != sender.email.domain.root_domain
39      )
40    )
41  )
42  // no attachments or links
43  and length(attachments) == 0
44  and length(body.current_thread.links) == 0
45  // negate sender profiles completely if auth is failing
46  and (
47    (
48      not (
49        coalesce(headers.auth_summary.dmarc.pass, false)
50        or headers.auth_summary.spf.pass == false
51      )
52      and (
53        not profile.by_sender().solicited
54        or (
55          profile.by_sender().any_messages_malicious_or_spam
56          and not profile.by_sender().any_messages_benign
57        )
58      )
59      and not profile.by_sender().any_messages_benign
60    )
61    or (
62      coalesce(headers.auth_summary.dmarc.pass, false)
63      or headers.auth_summary.spf.pass == false
64    )
65  )  
66
67tags:
68 - "Attack surface reduction"
69attack_types:
70  - "BEC/Fraud"
71  - "Callback Phishing"
72tactics_and_techniques:
73  - "Social engineering"
74  - "Free email provider"
75detection_methods:
76  - "Content analysis"
77  - "Header analysis"
78  - "Natural Language Understanding"
79  - "Sender analysis"
80id: "c67dedab-91f5-5bbe-af81-f9895a02c065"

Related rules

to-top