← Back to Explore
sublimehighRule
BEC with unusual reply-to or return-path mismatch
Detects an unusual header mismatch where the sender is not a freemail address, but the reply-to or return-path are. NLU also detects a BEC intent with medium or high confidence.
Detection Query
type.inbound
and any(ml.nlu_classifier(body.current_thread.text).intents,
.name in ("bec", "advance_fee") and .confidence == "high"
)
and (
headers.return_path.domain.root_domain in $free_email_providers
or (
length(headers.reply_to) > 0
and all(headers.reply_to,
.email.domain.root_domain in $free_email_providers
)
)
)
and (
(
sender.email.domain.root_domain == "paypal.com"
and (
not headers.auth_summary.dmarc.pass
or headers.auth_summary.dmarc.pass is null
)
)
or sender.email.domain.root_domain is null
or sender.email.domain.root_domain != "paypal.com"
)
and sender.email.domain.root_domain not in $free_email_providers
// negate gmail autoforwards and null return paths
and (
headers.return_path.email is null
or not strings.ilike(headers.return_path.local_part, "*+caf_=*")
)
// negate listservs
and not (
any(headers.hops, any(.fields, .name == "List-Unsubscribe"))
and strings.contains(sender.display_name, "via")
)
// negate legit replies
and not (
length(headers.references) > 0
or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
)
// legitimate quickbooks from known sender
and not (
sender.email.email == "quickbooks@notification.intuit.com"
and headers.auth_summary.spf.pass
and beta.profile.by_reply_to().prevalence in (
"outlier",
"uncommon",
"rare",
"common"
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "BEC with unusual reply-to or return-path mismatch"
description: "Detects an unusual header mismatch where the sender is not a freemail address, but the reply-to or return-path are. NLU also detects a BEC intent with medium or high confidence."
type: "rule"
severity: "high"
source: |
type.inbound
and any(ml.nlu_classifier(body.current_thread.text).intents,
.name in ("bec", "advance_fee") and .confidence == "high"
)
and (
headers.return_path.domain.root_domain in $free_email_providers
or (
length(headers.reply_to) > 0
and all(headers.reply_to,
.email.domain.root_domain in $free_email_providers
)
)
)
and (
(
sender.email.domain.root_domain == "paypal.com"
and (
not headers.auth_summary.dmarc.pass
or headers.auth_summary.dmarc.pass is null
)
)
or sender.email.domain.root_domain is null
or sender.email.domain.root_domain != "paypal.com"
)
and sender.email.domain.root_domain not in $free_email_providers
// negate gmail autoforwards and null return paths
and (
headers.return_path.email is null
or not strings.ilike(headers.return_path.local_part, "*+caf_=*")
)
// negate listservs
and not (
any(headers.hops, any(.fields, .name == "List-Unsubscribe"))
and strings.contains(sender.display_name, "via")
)
// negate legit replies
and not (
length(headers.references) > 0
or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
)
// legitimate quickbooks from known sender
and not (
sender.email.email == "quickbooks@notification.intuit.com"
and headers.auth_summary.spf.pass
and beta.profile.by_reply_to().prevalence in (
"outlier",
"uncommon",
"rare",
"common"
)
)
attack_types:
- "BEC/Fraud"
tactics_and_techniques:
- "Evasion"
- "Free email provider"
- "Social engineering"
detection_methods:
- "Content analysis"
- "Header analysis"
- "Natural Language Understanding"
- "Sender analysis"
id: "83e5e2df-7049-5990-b20d-1ff6bc6fd6f0"