Reconnaissance: Short generic greeting message
Detects potential reconnaissance messages with very short, generic content like 'Hi' or 'Hello' from external senders. These messages are often used to validate email addresses and test deliverability before launching larger attacks.
Sublime rule (View on GitHub)
1name: "Reconnaissance: Short generic greeting message"
2description: |
3 Detects potential reconnaissance messages with very short, generic content like 'Hi' or 'Hello' from external senders. These messages are often used to validate email addresses and test deliverability before launching larger attacks.
4type: "rule"
5severity: "medium"
6source: |
7 type.inbound
8 // detect generic greetings
9 and length(body.current_thread.text) <= 20
10 and length(subject.base) <= 15
11 // exclude messages with previous thread context (forwards/replies)
12 and length(body.previous_threads) == 0
13 and (
14 any(ml.nlu_classifier(body.current_thread.text).entities, .name == "greeting")
15 or strings.ilike(body.current_thread.text, "*hi*", "*hello*", "*hey*")
16 or length(body.current_thread.text) <= 5
17 or regex.match(body.current_thread.text, '\d+')
18 )
19 // external freemail sender
20 and sender.email.domain.root_domain in $free_email_providers
21 and (
22 sender.email.domain.root_domain not in (
23 recipients.to[0].email.domain.root_domain
24 )
25 or (
26 (
27 all(recipients.to, .email.domain.valid == false)
28 and all(recipients.cc, .email.domain.valid == false)
29 )
30 or length(recipients.to) == 0
31 )
32 )
33 and (
34 length(recipients.cc) == 0
35 or (
36 length(recipients.cc) > 0
37 and all(recipients.cc,
38 .email.domain.root_domain != sender.email.domain.root_domain
39 )
40 )
41 )
42 and (
43 length(recipients.bcc) == 0
44 or (
45 length(recipients.bcc) > 0
46 and all(recipients.bcc,
47 .email.domain.root_domain != sender.email.domain.root_domain
48 )
49 )
50 )
51 // no attachments or links
52 and length(attachments) == 0
53 and length(body.current_thread.links) == 0
54
55 // not where the sender and mailbox display_anames indicate this might be a personal email --> work email
56 // impersonation is covered by other core feed rules
57 and not (
58 sum([length(recipients.to), length(recipients.bcc), length(recipients.cc)]) == 1
59 // use coalesce to deal with either the sender.display_name or the mailbox element being null
60 // if either are null, the function returns false, as it cannot be true if either is null
61 and coalesce(strings.icontains(sender.display_name, mailbox.first_name),
62 false
63 )
64 and coalesce(strings.icontains(sender.display_name, mailbox.last_name), false)
65 )
66 and (
67 // auth failed (or absent) - ignore the profile
68 coalesce(headers.auth_summary.dmarc.pass, false) == false
69 or coalesce(headers.auth_summary.spf.pass, false) == false
70 // auth passed - use the profile
71 or (
72 // no benign messages
73 not profile.by_sender_email().any_messages_benign
74 and (
75 // not soliticed OR common
76 not (
77 profile.by_sender_email().solicited
78 or profile.by_sender_email().prevalence == "common"
79 )
80 // or HAS been spam_malicious
81 or profile.by_sender_email().any_messages_malicious_or_spam
82 )
83 )
84 )
85tags:
86 - "Attack surface reduction"
87attack_types:
88 - "BEC/Fraud"
89 - "Callback Phishing"
90tactics_and_techniques:
91 - "Social engineering"
92 - "Free email provider"
93detection_methods:
94 - "Content analysis"
95 - "Header analysis"
96 - "Natural Language Understanding"
97 - "Sender analysis"
98id: "c67dedab-91f5-5bbe-af81-f9895a02c065"