EXPLORE
Sign In
← Back to Explore
sublimemediumRule

Domain impersonation: Freemail reply-to local lookalike with financial request

This technique takes advantage of the use of free email services for the reply-to address. By incorporating the sender domain in the local part of the reply-to address, the attacker creates a visually similar appearance to a legitimate email address.

MITRE ATT&CK

T1566T1566.001T1566.002T1598
initial-access

Detection Query

type.inbound
and any(headers.reply_to,
        .email.email != sender.email.email
        and .email.domain.domain in $free_email_providers
        and .email.email not in $sender_emails
        and strings.contains(.email.local_part, sender.email.domain.sld)
)
and (
  any(ml.nlu_classifier(body.current_thread.text).intents,
      .name == "bec" and .confidence in ("medium", "high")
  )
  or (
    any(ml.nlu_classifier(body.current_thread.text).entities,
        .name == "financial"
    )
    and any(ml.nlu_classifier(body.current_thread.text).entities,
            .name == "request"
    )
    and any(ml.nlu_classifier(body.current_thread.text).entities,
            .name == "urgency"
    )
    and any(ml.nlu_classifier(body.current_thread.text).entities,
            .name == "sender"
    )
    and any(ml.nlu_classifier(body.current_thread.text).intents,
            .name != "benign"
    )
  )
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Domain impersonation: Freemail reply-to local lookalike with financial request"
description: |
  This technique takes advantage of the use of free email services for the reply-to address.
  By incorporating the sender domain in the local part of the reply-to address, the attacker
  creates a visually similar appearance to a legitimate email address.
type: "rule"
severity: "medium"
source: |
  type.inbound
  and any(headers.reply_to,
          .email.email != sender.email.email
          and .email.domain.domain in $free_email_providers
          and .email.email not in $sender_emails
          and strings.contains(.email.local_part, sender.email.domain.sld)
  )
  and (
    any(ml.nlu_classifier(body.current_thread.text).intents,
        .name == "bec" and .confidence in ("medium", "high")
    )
    or (
      any(ml.nlu_classifier(body.current_thread.text).entities,
          .name == "financial"
      )
      and any(ml.nlu_classifier(body.current_thread.text).entities,
              .name == "request"
      )
      and any(ml.nlu_classifier(body.current_thread.text).entities,
              .name == "urgency"
      )
      and any(ml.nlu_classifier(body.current_thread.text).entities,
              .name == "sender"
      )
      and any(ml.nlu_classifier(body.current_thread.text).intents,
              .name != "benign"
      )
    )
  )
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Free email provider"
  - "Social engineering"
detection_methods:
  - "Content analysis"
  - "Header analysis"
  - "Natural Language Understanding"
  - "Sender analysis"
id: "43026a40-4285-51a7-a42e-f08b9ee41b97"