Vendor impersonation: Thread hijacking with typosquat domain

calendar Jan 12, 2026  ·
Share on: linkedin copy

Detects potential thread hijacking where the sender uses a domain similar to known senders, exhibits BEC behavior, and shows signs of compromised thread continuity through domain spoofing or thread manipulation.

Sublime rule (View on GitHub)

 1name: "Vendor impersonation: Thread hijacking with typosquat domain"
 2description: "Detects potential thread hijacking where the sender uses a domain similar to known senders, exhibits BEC behavior, and shows signs of compromised thread continuity through domain spoofing or thread manipulation."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and subject.is_reply
 8  and sender.email.domain.root_domain not in $sender_domains
 9  // current sender has not been seen in the thread before
10  and any(body.previous_threads, .sender.email.domain.domain not in $org_domains)
11  and all(body.previous_threads,
12          .sender.email.domain.domain != sender.email.domain.domain
13          and all(.recipients.to,
14                  .email.domain.domain != sender.email.domain.domain
15          )
16          and all(.recipients.cc,
17                  .email.domain.domain != sender.email.domain.domain
18          )
19  )
20  and any($sender_domains,
21          0 < strings.ilevenshtein(., sender.email.domain.root_domain) < 3
22  )
23  and any(ml.nlu_classifier(body.current_thread.text).intents,
24          .name == "bec" and .confidence != "low"
25  )
26  // risky category
27  and any(ml.nlu_classifier(body.current_thread.text).topics,
28          .name in (
29            "Financial Communications",
30            "E-Signature",
31            "Benefit Enrollment"
32          )
33          and .confidence == "high"
34  )
35  and 1 of (
36    not network.whois(sender.email.domain).found,
37    any(body.previous_threads, strings.icontains(.preamble, sender.display_name))
38  )
39  and (
40    profile.by_sender_domain().prevalence == "new"
41    or profile.by_sender_domain().days_known < 3
42  )  
43attack_types:
44  - "BEC/Fraud"
45tactics_and_techniques:
46  - "Lookalike domain"
47  - "Social engineering"
48  - "Spoofing"
49detection_methods:
50  - "Content analysis"
51  - "Natural Language Understanding"
52  - "Sender analysis"
53  - "Whois"
54id: "9c2f38ed-dfc3-5251-aaf1-3d35cf18369e"
to-top