Business Email Compromise (BEC) attempt with masked recipients and reply-to mismatch (unsolicited)

name: "Business Email Compromise (BEC) attempt with masked recipients and reply-to mismatch (unsolicited)"
description: |
  This rule detects unsolicited messages where the recipient matches the sender address and no other recipients are identified.
  The reply-to address does not match the sender, and is a freemail with no links in the body.
  This a common combination of techniques used by low level BEC threats. 
type: "rule"
severity: "medium"
source: |
  type.inbound
  and any(recipients.to, .email.email == sender.email.email)
  and length(recipients.cc) == 0
  and length(recipients.bcc) == 0
  and length(body.links) == 0
  and any(headers.reply_to,
          .email.domain.domain in $free_email_providers
          and not .email.domain.domain == sender.email.domain.domain
  )
  and (
    not profile.by_sender().solicited
    or (
      profile.by_sender().any_messages_malicious_or_spam
      and not profile.by_sender().any_messages_benign
    )
  )
attack_types:
  - "BEC/Fraud"
tactics_and_techniques:
  - "Evasion"
  - "Free email provider"
detection_methods:
  - "Header analysis"
  - "Sender analysis"
id: "682191bf-a623-5f03-a497-9b8590535697"