← Back to Explore
sublimemediumRule
Body: Embedded email headers indicative of thread hijacking/abuse
Detects email headers embedded in the message body content, indicating forwarded phishing attempts, MIME boundary manipulation, delivery notification spoofing, or copy-paste phishing. This pattern is commonly seen when attackers forward legitimate emails and the headers get included in the body, or when spoofing system notifications.
Detection Query
type.inbound
// Headers are in the body.plain.raw but not the body.html.raw
and 2 of (
strings.icontains(body.plain.raw, "Delivered-To:")
and not strings.icontains(body.html.raw, "Delivered-To:"),
strings.icontains(body.plain.raw, "X-Google-Smtp-Source:")
and not strings.icontains(body.html.raw, "X-Google-Smtp-Source:"),
strings.icontains(body.plain.raw, "ARC-Seal: i=")
and not strings.icontains(body.html.raw, "ARC-Seal: i="),
)
and 1 of (
regex.icontains(body.plain.raw, "Received: by .{10,80} with SMTP id")
and not regex.icontains(body.html.raw, "Received: by .{10,80} with SMTP id"),
regex.icontains(body.plain.raw, "X-Received: by .{10,80} with SMTP id")
and not regex.icontains(body.html.raw, "X-Received: by .{10,80} with SMTP id"),
)
// Negate legitimate forwards where users intentionally include headers
and not (
(length(headers.references) > 0 or headers.in_reply_to is not null)
and (subject.is_forward or subject.is_reply)
and length(body.previous_threads) >= 1
)
// Sender is not from org or high trust domains
and sender.email.domain.root_domain not in $org_domains
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Body: Embedded email headers indicative of thread hijacking/abuse"
description: "Detects email headers embedded in the message body content, indicating forwarded phishing attempts, MIME boundary manipulation, delivery notification spoofing, or copy-paste phishing. This pattern is commonly seen when attackers forward legitimate emails and the headers get included in the body, or when spoofing system notifications."
type: "rule"
severity: "medium"
source: |
type.inbound
// Headers are in the body.plain.raw but not the body.html.raw
and 2 of (
strings.icontains(body.plain.raw, "Delivered-To:")
and not strings.icontains(body.html.raw, "Delivered-To:"),
strings.icontains(body.plain.raw, "X-Google-Smtp-Source:")
and not strings.icontains(body.html.raw, "X-Google-Smtp-Source:"),
strings.icontains(body.plain.raw, "ARC-Seal: i=")
and not strings.icontains(body.html.raw, "ARC-Seal: i="),
)
and 1 of (
regex.icontains(body.plain.raw, "Received: by .{10,80} with SMTP id")
and not regex.icontains(body.html.raw, "Received: by .{10,80} with SMTP id"),
regex.icontains(body.plain.raw, "X-Received: by .{10,80} with SMTP id")
and not regex.icontains(body.html.raw, "X-Received: by .{10,80} with SMTP id"),
)
// Negate legitimate forwards where users intentionally include headers
and not (
(length(headers.references) > 0 or headers.in_reply_to is not null)
and (subject.is_forward or subject.is_reply)
and length(body.previous_threads) >= 1
)
// Sender is not from org or high trust domains
and sender.email.domain.root_domain not in $org_domains
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
attack_types:
- "Credential Phishing"
- "BEC/Fraud"
- "Spam"
tactics_and_techniques:
- "Evasion"
- "Social engineering"
- "Spoofing"
detection_methods:
- "Content analysis"
- "Header analysis"
- "Sender analysis"
id: "6e8eeebb-5ea2-53e0-b4a8-c07d1248d177"