Reconnaissance: Short generic greeting message

Detects potential reconnaissance messages with very short, generic content like 'Hi' or 'Hello' from external senders. These messages are often used to validate email addresses and test deliverability before launching larger attacks.

Sublime rule (View on GitHub)

 1name: "Reconnaissance: Short generic greeting message"
 2description: |
 3    Detects potential reconnaissance messages with very short, generic content like 'Hi' or 'Hello' from external senders. These messages are often used to validate email addresses and test deliverability before launching larger attacks.
 4type: "rule"
 5severity: "medium"
 6source: |
 7  type.inbound
 8  // detect generic greetings
 9  and length(body.current_thread.text) <= 20
10  and length(subject.base) <= 15
11  // exclude messages with previous thread context (forwards/replies)
12  and length(body.previous_threads) == 0
13  and (
14    any(ml.nlu_classifier(body.current_thread.text).entities, .name == "greeting")
15    or strings.ilike(body.current_thread.text, "*hi*", "*hello*", "*hey*")
16    or length(body.current_thread.text) <= 5
17    or regex.match(body.current_thread.text, '\d+')
18  )
19  // external freemail sender
20  and sender.email.domain.root_domain in $free_email_providers
21  and (
22    sender.email.domain.root_domain not in (
23      recipients.to[0].email.domain.root_domain
24    )
25    or (
26      (
27        all(recipients.to, .email.domain.valid == false)
28        and all(recipients.cc, .email.domain.valid == false)
29      )
30      or length(recipients.to) == 0
31    )
32  )
33  and (
34    length(recipients.cc) == 0
35    or (
36      length(recipients.cc) > 0
37      and all(recipients.cc,
38              .email.domain.root_domain != sender.email.domain.root_domain
39      )
40    )
41  )
42  and (
43    length(recipients.bcc) == 0
44    or (
45      length(recipients.bcc) > 0
46      and all(recipients.bcc,
47              .email.domain.root_domain != sender.email.domain.root_domain
48      )
49    )
50  )
51  // no attachments or links
52  and length(attachments) == 0
53  and length(body.current_thread.links) == 0
54  
55  // not where the sender and mailbox display_anames indicate this might be a personal email --> work email
56  // impersonation is covered by other core feed rules
57  and not (
58    sum([length(recipients.to), length(recipients.bcc), length(recipients.cc)]) == 1
59    // use coalesce to deal with either the sender.display_name or the mailbox element being null
60    // if either are null, the function returns false, as it cannot be true if either is null
61    and coalesce(strings.icontains(sender.display_name, mailbox.first_name),
62                 false
63    )
64    and coalesce(strings.icontains(sender.display_name, mailbox.last_name), false)
65  )
66  and (
67    // auth failed (or absent) - ignore the profile
68    coalesce(headers.auth_summary.dmarc.pass, false) == false
69    or coalesce(headers.auth_summary.spf.pass, false) == false
70    // auth passed - use the profile
71    or (
72      // no benign messages
73      not profile.by_sender_email().any_messages_benign
74      and (
75        // not soliticed OR common
76        not (
77          profile.by_sender_email().solicited
78          or profile.by_sender_email().prevalence == "common"
79        )
80        // or HAS been spam_malicious
81        or profile.by_sender_email().any_messages_malicious_or_spam
82      )
83    )
84  )  
85tags:
86 - "Attack surface reduction"
87attack_types:
88  - "BEC/Fraud"
89  - "Callback Phishing"
90tactics_and_techniques:
91  - "Social engineering"
92  - "Free email provider"
93detection_methods:
94  - "Content analysis"
95  - "Header analysis"
96  - "Natural Language Understanding"
97  - "Sender analysis"
98id: "c67dedab-91f5-5bbe-af81-f9895a02c065"

Related rules

to-top