sublimehighRule

Headers: Fake in-reply-to with wildcard sender and missing thread context

Detects messages claiming to be replies with In-Reply-To headers but lacking previous thread context, sent from addresses containing multiple wildcard characters in the local part.

MITRE ATT&CK

T1566.002 T1534 T1656 T1566 T1566.001 T1598 T1036 T1027

defense-evasioninitial-access

Detection Query

type.inbound
and headers.in_reply_to is not null
and not (subject.is_forward or subject.is_reply)
and length(body.previous_threads) == 0
and strings.count(sender.email.local_part, "*") >= 2

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

Raw Content

name: "Headers: Fake in-reply-to with wildcard sender and missing thread context"
description: "Detects messages claiming to be replies with In-Reply-To headers but lacking previous thread context, sent from addresses containing multiple wildcard characters in the local part."
type: "rule"
severity: "high"
source: |
  type.inbound
  and headers.in_reply_to is not null
  and not (subject.is_forward or subject.is_reply)
  and length(body.previous_threads) == 0
  and strings.count(sender.email.local_part, "*") >= 2

attack_types:
  - "BEC/Fraud"
  - "Credential Phishing"
tactics_and_techniques:
  - "Evasion"
  - "Social engineering"
  - "Spoofing"
detection_methods:
  - "Header analysis"
  - "Sender analysis"
  - "Content analysis"
id: "89da670a-4b03-52f7-891c-48820bb2362a"