Vendor impersonation: Thread hijacking with typosquat domain

calendar Nov 4, 2025  ·
Share on: linkedin copy

Detects potential thread hijacking where the sender uses a domain similar to known senders, exhibits BEC behavior, and shows signs of compromised thread continuity through domain spoofing or thread manipulation.

Sublime rule (View on GitHub)

 1name: "Vendor impersonation: Thread hijacking with typosquat domain"
 2description: "Detects potential thread hijacking where the sender uses a domain similar to known senders, exhibits BEC behavior, and shows signs of compromised thread continuity through domain spoofing or thread manipulation."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and subject.is_reply
 8  and sender.email.domain.root_domain not in $sender_domains
 9  // current sender has not been seen in the thread before
10  and any(body.previous_threads,
11          length(regex.iextract(.preamble, '<(?P<previous_email>\S*)>')) > 0
12          and any(regex.iextract(.preamble, '<(?P<previous_email>\S*)>'),
13                  strings.parse_email(.named_groups['previous_email']).domain.domain not in $org_domains
14          )
15  )
16  and all(body.previous_threads,
17          all(regex.iextract(.preamble, '<(?P<previous_email>\S*)>'),
18              strings.parse_email(.named_groups['previous_email']).domain.domain != sender.email.domain.domain
19          )
20  )
21  and any($sender_domains,
22          0 < strings.ilevenshtein(., sender.email.domain.root_domain) < 3
23  )
24  and any(ml.nlu_classifier(body.current_thread.text).intents,
25          .name == "bec" and .confidence != "low"
26  )
27  // risky category
28  and any(ml.nlu_classifier(body.current_thread.text).topics,
29          .name in (
30            "Financial Communications",
31            "E-Signature",
32            "Benefit Enrollment"
33          )
34          and .confidence == "high"
35  )
36  and 1 of (
37    not network.whois(sender.email.domain).found,
38    any(body.previous_threads, strings.icontains(.preamble, sender.display_name))
39  )
40  and (
41    profile.by_sender_domain().prevalence == "new"
42    or profile.by_sender_domain().days_known < 3
43  )  
44
45attack_types:
46  - "BEC/Fraud"
47tactics_and_techniques:
48  - "Lookalike domain"
49  - "Social engineering"
50  - "Spoofing"
51detection_methods:
52  - "Content analysis"
53  - "Natural Language Understanding"
54  - "Sender analysis"
55  - "Whois"
56id: "9c2f38ed-dfc3-5251-aaf1-3d35cf18369e"
to-top