← Back to Explore
sublimemediumRule
Reconnaissance: Hotel booking reply-to redirect
Detects messages impersonating hotel booking inquiries by identifying common hotel-related language patterns from senders where the reply-to is a free email provider and differs from the sender domain in an effort to validate whether a recipient address is valid or not, potentially preceding an attack.
Detection Query
type.inbound
and any(headers.reply_to,
.email.domain.root_domain in $free_email_providers
and .email.domain.root_domain != sender.email.domain.root_domain
)
and all(recipients.to,
.email.domain.root_domain != sender.email.domain.root_domain
)
and length(body.links) == 0
and length(attachments) == 0
and length(body.current_thread.text) < 600
and not (
(subject.is_reply or subject.is_forward)
and (length(headers.references) > 0 or headers.in_reply_to is not null)
)
and (
(
strings.ilike(body.current_thread.text,
'*hotel*',
'*your property*',
'*accommodation*',
'*guest services*',
'*reception*',
'*front desk*'
)
and strings.ilike(body.current_thread.text,
'*booking*',
'*to book*',
'*book a *',
'*reserv*',
'*room*',
'*suite*',
'*availability*',
'*check-in*',
'*available dates*',
'*family trip*',
'*deluxe accommodation*',
'*two children*',
'*hotel manager*'
)
)
or strings.ilike(subject.base,
'*hotel*',
'*room reserv*',
'*room inquiry*',
'*room availability*',
'*suite*',
'*accommodation*'
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Reconnaissance: Hotel booking reply-to redirect"
description: "Detects messages impersonating hotel booking inquiries by identifying common hotel-related language patterns from senders where the reply-to is a free email provider and differs from the sender domain in an effort to validate whether a recipient address is valid or not, potentially preceding an attack."
type: "rule"
severity: "medium"
source: |
type.inbound
and any(headers.reply_to,
.email.domain.root_domain in $free_email_providers
and .email.domain.root_domain != sender.email.domain.root_domain
)
and all(recipients.to,
.email.domain.root_domain != sender.email.domain.root_domain
)
and length(body.links) == 0
and length(attachments) == 0
and length(body.current_thread.text) < 600
and not (
(subject.is_reply or subject.is_forward)
and (length(headers.references) > 0 or headers.in_reply_to is not null)
)
and (
(
strings.ilike(body.current_thread.text,
'*hotel*',
'*your property*',
'*accommodation*',
'*guest services*',
'*reception*',
'*front desk*'
)
and strings.ilike(body.current_thread.text,
'*booking*',
'*to book*',
'*book a *',
'*reserv*',
'*room*',
'*suite*',
'*availability*',
'*check-in*',
'*available dates*',
'*family trip*',
'*deluxe accommodation*',
'*two children*',
'*hotel manager*'
)
)
or strings.ilike(subject.base,
'*hotel*',
'*room reserv*',
'*room inquiry*',
'*room availability*',
'*suite*',
'*accommodation*'
)
)
attack_types:
- "BEC/Fraud"
tactics_and_techniques:
- "Free email provider"
- "Social engineering"
detection_methods:
- "Content analysis"
- "Header analysis"
- "Sender analysis"
id: "08c36035-dc50-5169-808c-c8a6d2f64932"