Reconnaissance: Short generic greeting message
Detects potential reconnaissance messages with very short, generic content like 'Hi' or 'Hello' from external senders. These messages are often used to validate email addresses and test deliverability before launching larger attacks.
Sublime rule (View on GitHub)
1name: "Reconnaissance: Short generic greeting message"
2description: |
3 Detects potential reconnaissance messages with very short, generic content like 'Hi' or 'Hello' from external senders. These messages are often used to validate email addresses and test deliverability before launching larger attacks.
4type: "rule"
5severity: "medium"
6source: |
7 type.inbound
8 and length(body.current_thread.text) <= 10
9 and length(subject.base) <= 10
10 // detect generic greetings
11 and (
12 any(ml.nlu_classifier(body.current_thread.text).entities, .name == "greeting")
13 or strings.ilike(body.current_thread.text, "*hi*", "*hello*", "*hey*")
14 or length(body.current_thread.text) <= 5
15 )
16 // external freemail sender
17 and sender.email.domain.root_domain in $free_email_providers
18 and sender.email.domain.root_domain not in (
19 recipients.to[0].email.domain.root_domain
20 )
21 and (
22 length(recipients.cc) == 0
23 or (
24 length(recipients.cc) > 0
25 and all(recipients.cc,
26 .email.domain.root_domain != sender.email.domain.root_domain
27 )
28 )
29 )
30 and (
31 length(recipients.bcc) == 0
32 or (
33 length(recipients.bcc) > 0
34 and all(recipients.bcc,
35 .email.domain.root_domain != sender.email.domain.root_domain
36 )
37 )
38 )
39 // no attachments or links
40 and length(attachments) == 0
41 and length(body.links) == 0
42 // negate sender profiles completely if auth is failing
43 and (
44 (
45 not (
46 headers.auth_summary.dmarc.pass == false
47 or headers.auth_summary.spf.pass == false
48 )
49 and (
50 not profile.by_sender().solicited
51 or (
52 profile.by_sender().any_messages_malicious_or_spam
53 and not profile.by_sender().any_false_positives
54 )
55 )
56 and not profile.by_sender().any_false_positives
57 )
58 or (
59 headers.auth_summary.dmarc.pass == false
60 or headers.auth_summary.spf.pass == false
61 )
62 )
63
64tags:
65 - "Attack surface reduction"
66attack_types:
67 - "BEC/Fraud"
68 - "Callback Phishing"
69tactics_and_techniques:
70 - "Social engineering"
71 - "Free email provider"
72detection_methods:
73 - "Content analysis"
74 - "Header analysis"
75 - "Natural Language Understanding"
76 - "Sender analysis"
77id: "c67dedab-91f5-5bbe-af81-f9895a02c065"