Sender: IP address in local part

calendar Mar 12, 2026 · Attack surface reduction  ·
Share on: linkedin copy

Detects messages where the sender's email local part contains an IPv4 address, which is commonly used in malicious campaigns to bypass filters or appear legitimate.

Sublime rule (View on GitHub)

 1name: "Sender: IP address in local part"
 2description: "Detects messages where the sender's email local part contains an IPv4 address, which is commonly used in malicious campaigns to bypass filters or appear legitimate."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and length(body.current_thread.text) > 100
 8  and regex.icontains(sender.email.local_part,
 9                      '(?:\d{1,3}\.){3}\d{1,3}[^\.][[:alpha:]]+',
10                      '[[:alpha:]]+(?:\d{1,3}\.){3}\d{1,3}[^\.]'
11  )
12  and not (
13    strings.ilike(sender.email.local_part, "*report*", "*abuse*")
14    or any(ml.nlu_classifier(body.current_thread.text).topics,
15           .name == "Bounce Back and Delivery Failure Notifications"
16           and .confidence != "low"
17    )
18  )  
19tags:
20  - "Attack surface reduction"
21attack_types:
22  - "Spam"
23  - "Credential Phishing"
24  - "BEC/Fraud"
25tactics_and_techniques:
26  - "Evasion"
27  - "Spoofing"
28detection_methods:
29  - "Sender analysis"
30id: "e271fa80-e10e-5f75-b218-5b92bae97655"

Related rules

to-top