EXPLORE
Sign In
← Back to Explore
sublimemediumRule

BEC/Fraud: Reply-chain manipulation with urgent keywords and self-reply

Detects suspicious reply messages with urgent language in sender name or email address, minimal body content, and the sender's email address appearing in previous thread content, indicating a self reply.

MITRE ATT&CK

T1566.002T1534T1656T1566T1598T1036T1027
initial-accessdefense-evasion

Detection Query

type.inbound
and subject.is_reply
and length(attachments) == 0
// short current thread
and length(body.current_thread.text) < 25
// only 1 previous thread
and length(body.previous_threads) == 1
and any(recipients.to,
        .email.domain.root_domain != sender.email.domain.root_domain
)
// urgent or authority based keywords in sender display name or local part
and (
  regex.icontains(sender.display_name,
                  '\b(?:(?:crucial|urgent|immediate|important|quick)(?:ly)?|immediatetask|emergency)\b'
  )
  or regex.icontains(sender.email.local_part, '(?:task|ceo|executive)')
)
// sender replied to themselves
and any(body.previous_threads, strings.icontains(.preamble, sender.email.email))

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "BEC/Fraud: Reply-chain manipulation with urgent keywords and self-reply"
description: "Detects suspicious reply messages with urgent language in sender name or email address, minimal body content, and the sender's email address appearing in previous thread content, indicating a self reply."
type: "rule"
severity: "medium"
source: |
  type.inbound
  and subject.is_reply
  and length(attachments) == 0
  // short current thread
  and length(body.current_thread.text) < 25
  // only 1 previous thread
  and length(body.previous_threads) == 1
  and any(recipients.to,
          .email.domain.root_domain != sender.email.domain.root_domain
  )
  // urgent or authority based keywords in sender display name or local part
  and (
    regex.icontains(sender.display_name,
                    '\b(?:(?:crucial|urgent|immediate|important|quick)(?:ly)?|immediatetask|emergency)\b'
    )
    or regex.icontains(sender.email.local_part, '(?:task|ceo|executive)')
  )
  // sender replied to themselves
  and any(body.previous_threads, strings.icontains(.preamble, sender.email.email))

attack_types:
  - "BEC/Fraud"
tactics_and_techniques:
  - "Social engineering"
  - "Evasion"
detection_methods:
  - "Content analysis"
  - "Header analysis"
  - "Sender analysis"
id: "1754260a-3ac4-5825-a04f-93062fe4c885"