Body: Embedded email headers indicative of thread hijacking/abuse

calendar Dec 1, 2025  ·
Share on: linkedin copy

Detects email headers embedded in the message body content, indicating forwarded phishing attempts, MIME boundary manipulation, delivery notification spoofing, or copy-paste phishing. This pattern is commonly seen when attackers forward legitimate emails and the headers get included in the body, or when spoofing system notifications.

Sublime rule (View on GitHub)

 1name: "Body: Embedded email headers indicative of thread hijacking/abuse"
 2description: "Detects email headers embedded in the message body content, indicating forwarded phishing attempts, MIME boundary manipulation, delivery notification spoofing, or copy-paste phishing. This pattern is commonly seen when attackers forward legitimate emails and the headers get included in the body, or when spoofing system notifications."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  // Headers are in the body.plain.raw but not the body.html.raw
 8  and 2 of (
 9    strings.icontains(body.plain.raw, "Delivered-To:")
10    and not strings.icontains(body.html.raw, "Delivered-To:"),
11    strings.icontains(body.plain.raw, "X-Google-Smtp-Source:")
12    and not strings.icontains(body.html.raw, "X-Google-Smtp-Source:"),
13    strings.icontains(body.plain.raw, "ARC-Seal: i=")
14    and not strings.icontains(body.html.raw, "ARC-Seal: i="),
15  )
16  and 1 of (
17    regex.icontains(body.plain.raw, "Received: by .{10,80} with SMTP id")
18    and not regex.icontains(body.html.raw, "Received: by .{10,80} with SMTP id"),
19    regex.icontains(body.plain.raw, "X-Received: by .{10,80} with SMTP id")
20    and not regex.icontains(body.html.raw, "X-Received: by .{10,80} with SMTP id"),
21  )
22  // Negate legitimate forwards where users intentionally include headers
23  and not (
24    (length(headers.references) > 0 or headers.in_reply_to is not null)
25    and (subject.is_forward or subject.is_reply)
26    and length(body.previous_threads) >= 1
27  )
28  // Sender is not from org or high trust domains
29  and sender.email.domain.root_domain not in $org_domains
30  and (
31    (
32      sender.email.domain.root_domain in $high_trust_sender_root_domains
33      and not headers.auth_summary.dmarc.pass
34    )
35    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
36  )  
37
38attack_types:
39  - "Credential Phishing"
40  - "BEC/Fraud"
41  - "Spam"
42tactics_and_techniques:
43  - "Evasion"
44  - "Social engineering"
45  - "Spoofing"
46detection_methods:
47  - "Content analysis"
48  - "Header analysis"
49  - "Sender analysis"
50id: "6e8eeebb-5ea2-53e0-b4a8-c07d1248d177"
to-top