Reconnaissance: Short generic greeting message

calendar Dec 2, 2025 · Attack surface reduction  ·
Share on: linkedin copy

Detects potential reconnaissance messages with very short, generic content like 'Hi' or 'Hello' from external senders. These messages are often used to validate email addresses and test deliverability before launching larger attacks.

Sublime rule (View on GitHub)

 1name: "Reconnaissance: Short generic greeting message"
 2description: |
 3    Detects potential reconnaissance messages with very short, generic content like 'Hi' or 'Hello' from external senders. These messages are often used to validate email addresses and test deliverability before launching larger attacks.
 4type: "rule"
 5severity: "medium"
 6source: |
 7  type.inbound
 8  and length(body.current_thread.text) <= 20
 9  and length(subject.base) <= 15
10  // exclude messages with previous thread context (forwards/replies)
11  and length(body.previous_threads) == 0
12  // detect generic greetings
13  and (
14    any(ml.nlu_classifier(body.current_thread.text).entities, .name == "greeting")
15    or strings.ilike(body.current_thread.text, "*hi*", "*hello*", "*hey*")
16    or length(body.current_thread.text) <= 5
17  )
18  // external freemail sender
19  and sender.email.domain.root_domain in $free_email_providers
20  and sender.email.domain.root_domain not in (
21    recipients.to[0].email.domain.root_domain
22  )
23  and (
24    length(recipients.cc) == 0
25    or (
26      length(recipients.cc) > 0
27      and all(recipients.cc,
28              .email.domain.root_domain != sender.email.domain.root_domain
29      )
30    )
31  )
32  and (
33    length(recipients.bcc) == 0
34    or (
35      length(recipients.bcc) > 0
36      and all(recipients.bcc,
37              .email.domain.root_domain != sender.email.domain.root_domain
38      )
39    )
40  )
41  // no attachments or links
42  and length(attachments) == 0
43  and length(body.current_thread.links) == 0
44  // negate sender profiles completely if auth is failing
45  and (
46    (
47      not (
48        headers.auth_summary.dmarc.pass == false
49        or headers.auth_summary.spf.pass == false
50      )
51      and (
52        not profile.by_sender().solicited
53        or (
54          profile.by_sender().any_messages_malicious_or_spam
55          and not profile.by_sender().any_false_positives
56        )
57      )
58      and not profile.by_sender().any_false_positives
59    )
60    or (
61      headers.auth_summary.dmarc.pass == false
62      or headers.auth_summary.spf.pass == false
63    )
64  )  
65
66tags:
67 - "Attack surface reduction"
68attack_types:
69  - "BEC/Fraud"
70  - "Callback Phishing"
71tactics_and_techniques:
72  - "Social engineering"
73  - "Free email provider"
74detection_methods:
75  - "Content analysis"
76  - "Header analysis"
77  - "Natural Language Understanding"
78  - "Sender analysis"
79id: "c67dedab-91f5-5bbe-af81-f9895a02c065"

Related rules

to-top