EXPLORE
Sign In
← Back to Explore
sublimehighRule

Vendor impersonation: Thread hijacking with typosquat domain

Detects potential thread hijacking where the sender uses a domain similar to known senders, exhibits BEC behavior, and shows signs of compromised thread continuity through domain spoofing or thread manipulation.

MITRE ATT&CK

T1566.002T1534T1656T1583.001T1566T1598
initial-access

Detection Query

type.inbound
and subject.is_reply
and sender.email.domain.root_domain not in $sender_domains
// current sender has not been seen in the thread before
and any(body.previous_threads, .sender.email.domain.domain not in $org_domains)
and all(body.previous_threads,
        .sender.email.domain.domain != sender.email.domain.domain
        and all(.recipients.to,
                .email.domain.domain != sender.email.domain.domain
        )
        and all(.recipients.cc,
                .email.domain.domain != sender.email.domain.domain
        )
)
and any($sender_domains,
        0 < strings.ilevenshtein(., sender.email.domain.root_domain) < 3
)
and any(ml.nlu_classifier(body.current_thread.text).intents,
        .name == "bec" and .confidence != "low"
)
// risky category
and any(ml.nlu_classifier(body.current_thread.text).topics,
        .name in (
          "Financial Communications",
          "E-Signature",
          "Benefit Enrollment"
        )
        and .confidence == "high"
)
and 1 of (
  not network.whois(sender.email.domain).found,
  any(body.previous_threads, strings.icontains(.preamble, sender.display_name))
)
and (
  profile.by_sender_domain().prevalence == "new"
  or profile.by_sender_domain().days_known < 3
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Vendor impersonation: Thread hijacking with typosquat domain"
description: "Detects potential thread hijacking where the sender uses a domain similar to known senders, exhibits BEC behavior, and shows signs of compromised thread continuity through domain spoofing or thread manipulation."
type: "rule"
severity: "high"
source: |
  type.inbound
  and subject.is_reply
  and sender.email.domain.root_domain not in $sender_domains
  // current sender has not been seen in the thread before
  and any(body.previous_threads, .sender.email.domain.domain not in $org_domains)
  and all(body.previous_threads,
          .sender.email.domain.domain != sender.email.domain.domain
          and all(.recipients.to,
                  .email.domain.domain != sender.email.domain.domain
          )
          and all(.recipients.cc,
                  .email.domain.domain != sender.email.domain.domain
          )
  )
  and any($sender_domains,
          0 < strings.ilevenshtein(., sender.email.domain.root_domain) < 3
  )
  and any(ml.nlu_classifier(body.current_thread.text).intents,
          .name == "bec" and .confidence != "low"
  )
  // risky category
  and any(ml.nlu_classifier(body.current_thread.text).topics,
          .name in (
            "Financial Communications",
            "E-Signature",
            "Benefit Enrollment"
          )
          and .confidence == "high"
  )
  and 1 of (
    not network.whois(sender.email.domain).found,
    any(body.previous_threads, strings.icontains(.preamble, sender.display_name))
  )
  and (
    profile.by_sender_domain().prevalence == "new"
    or profile.by_sender_domain().days_known < 3
  )
attack_types:
  - "BEC/Fraud"
tactics_and_techniques:
  - "Lookalike domain"
  - "Social engineering"
  - "Spoofing"
detection_methods:
  - "Content analysis"
  - "Natural Language Understanding"
  - "Sender analysis"
  - "Whois"
id: "9c2f38ed-dfc3-5251-aaf1-3d35cf18369e"