EXPLORE
Sign In
← Back to Explore
sublimemediumRule

Business Email Compromise: Request for mobile number via reply thread hijacking

This rule detects BEC attacks that use reply threads to solicit mobile numbers, evading detection rules that exclude RE: subjects.

MITRE ATT&CK

T1566.002T1534T1656T1566T1598
initial-access

Detection Query

type.inbound
and 0 < length(body.previous_threads) < 3
and length(attachments) == 0
// Check previous_threads for mobile solicitation patterns
and any(body.previous_threads,
        (
          length(.text) < 500
          // ignore disclaimers in body length calculation
          or (
            any(map(filter(ml.nlu_classifier(.text).entities,
                           .name == "disclaimer"
                    ),
                    .text
                ),
                (length(..text) - length(.)) < 500
            )
          )
        )
        and regex.icontains(.text,
                            '(?:mobile|suitable|contact|current|cell|call|another).{0,10}(phone|number|#|\bno)|whatsapp|\bcell|personalcell|(?:reliable|recent).{0,30}(?:phone|number).{0,15}contact'
        )
)

// NLU analysis on previous_threads content
and (
  any(body.previous_threads,
      any(ml.nlu_classifier(.text).intents,
          .name in ("bec", "advance_fee") and .confidence in ("medium", "high")
      )
  )
  or (
    // confidence can be low on very short bodies
    any(body.previous_threads, length(.text) < 550)
    and (
      any(body.previous_threads,
          any(ml.nlu_classifier(.text).intents, .name == "bec")
      )
      or any(ml.nlu_classifier(sender.display_name).intents, .name == "bec")
      or any(body.previous_threads,
             any(ml.nlu_classifier(.text).entities,
                 strings.icontains(.text, "kindly")
             )
      )
    )
  )
)
// Sender analysis
and (
  not profile.by_sender().solicited
  or profile.by_sender().any_messages_malicious_or_spam
)
and not profile.by_sender().any_messages_benign
// not high trust sender domains
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
// Ensure this is likely a hijacked thread (sender doesn't match thread participants)
and (
  length(headers.references) > 0
  or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Business Email Compromise: Request for mobile number via reply thread hijacking"
description: "This rule detects BEC attacks that use reply threads to solicit mobile numbers, evading detection rules that exclude RE: subjects."
type: "rule"
severity: "medium"
source: |
  type.inbound
  and 0 < length(body.previous_threads) < 3
  and length(attachments) == 0
  // Check previous_threads for mobile solicitation patterns
  and any(body.previous_threads,
          (
            length(.text) < 500
            // ignore disclaimers in body length calculation
            or (
              any(map(filter(ml.nlu_classifier(.text).entities,
                             .name == "disclaimer"
                      ),
                      .text
                  ),
                  (length(..text) - length(.)) < 500
              )
            )
          )
          and regex.icontains(.text,
                              '(?:mobile|suitable|contact|current|cell|call|another).{0,10}(phone|number|#|\bno)|whatsapp|\bcell|personalcell|(?:reliable|recent).{0,30}(?:phone|number).{0,15}contact'
          )
  )
  
  // NLU analysis on previous_threads content
  and (
    any(body.previous_threads,
        any(ml.nlu_classifier(.text).intents,
            .name in ("bec", "advance_fee") and .confidence in ("medium", "high")
        )
    )
    or (
      // confidence can be low on very short bodies
      any(body.previous_threads, length(.text) < 550)
      and (
        any(body.previous_threads,
            any(ml.nlu_classifier(.text).intents, .name == "bec")
        )
        or any(ml.nlu_classifier(sender.display_name).intents, .name == "bec")
        or any(body.previous_threads,
               any(ml.nlu_classifier(.text).entities,
                   strings.icontains(.text, "kindly")
               )
        )
      )
    )
  )
  // Sender analysis
  and (
    not profile.by_sender().solicited
    or profile.by_sender().any_messages_malicious_or_spam
  )
  and not profile.by_sender().any_messages_benign
  // not high trust sender domains
  and (
    (
      sender.email.domain.root_domain in $high_trust_sender_root_domains
      and not headers.auth_summary.dmarc.pass
    )
    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
  )
  // Ensure this is likely a hijacked thread (sender doesn't match thread participants)
  and (
    length(headers.references) > 0
    or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
  )
attack_types:
  - "BEC/Fraud"
tactics_and_techniques:
  - "Social engineering"
detection_methods:
  - "Content analysis"
  - "Natural Language Understanding"
  - "Sender analysis"
id: "0282f346-7175-5d9c-9b10-a3e99462d263"