Free Email Provider Sender with Mismatched Provider Reply-To
Detects when a sender using a free email provider includes a reply-to address from a different free email provider, which is a common social engineering tactic.
Sublime rule (View on GitHub)
1name: "Free Email Provider Sender with Mismatched Provider Reply-To"
2description: "Detects when a sender using a free email provider includes a reply-to address from a different free email provider, which is a common social engineering tactic."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and sender.email.domain.root_domain in $free_email_providers
8 and length(headers.reply_to) > 0
9 and any(headers.reply_to,
10 .email.domain.root_domain in $free_email_providers
11 and .email.domain.root_domain != sender.email.domain.root_domain
12 and .email.domain.root_domain not in ("googlegroups.com")
13 )
14 // secureserver.net seems to rewrite the sender local part to be the reply-to domain for bounces
15 // observed in many newsletter sent via secureserver.net
16 and not (
17 strings.istarts_with(sender.email.domain.domain, 'bounces.')
18 and sender.email.domain.root_domain == 'secureserver.net'
19 and all(headers.reply_to,
20 strings.istarts_with(sender.email.local_part, .email.local_part)
21 and strings.iends_with(sender.email.local_part, .email.domain.domain)
22 )
23 )
24 // lists.riseup.net send from the list address and use the reply-to of the sender
25 // the sender is within the X-Original-From header and contains the full "From" header
26 and not (
27 sender.email.domain.domain == "lists.riseup.net"
28 and any(headers.hops,
29 any(.fields,
30 .name =~ "X-Original-From"
31 and any(headers.reply_to,
32 strings.icontains(..value, .email.email)
33 )
34 )
35 )
36 )
37tags:
38 - "Attack surface reduction"
39attack_types:
40 - "BEC/Fraud"
41 - "Credential Phishing"
42tactics_and_techniques:
43 - "Free email provider"
44 - "Social engineering"
45detection_methods:
46 - "Header analysis"
47 - "Sender analysis"
48id: "fcd831d0-9e03-5c9a-aa2f-af37d3a8c156"