← Back to Explore
sublimelowRule
Reconnaissance: Empty message from uncommon sender
Detects incoming messages that are completely empty, containing no subject line, message body content, or file attachments. Such messages may be used for reconnaissance, delivery confirmation, or as part of multi-stage attacks.
Detection Query
type.inbound
and subject.base == ""
and (
body.plain.raw is null
or body.plain.raw == ""
or regex.imatch(body.plain.raw, '^\s*$')
)
and (
body.html.raw is null
or body.html.raw == ""
or regex.imatch(body.html.raw, '^\s*$')
)
and length(attachments) == 0
and profile.by_sender().prevalence != "common"
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Tags
Attack surface reduction
Raw Content
name: "Reconnaissance: Empty message from uncommon sender"
description: "Detects incoming messages that are completely empty, containing no subject line, message body content, or file attachments. Such messages may be used for reconnaissance, delivery confirmation, or as part of multi-stage attacks."
type: "rule"
severity: "low"
source: |
type.inbound
and subject.base == ""
and (
body.plain.raw is null
or body.plain.raw == ""
or regex.imatch(body.plain.raw, '^\s*$')
)
and (
body.html.raw is null
or body.html.raw == ""
or regex.imatch(body.html.raw, '^\s*$')
)
and length(attachments) == 0
and profile.by_sender().prevalence != "common"
tags:
- "Attack surface reduction"
attack_types:
- "Spam"
tactics_and_techniques:
- "Evasion"
- "Social engineering"
detection_methods:
- "Content analysis"
- "Header analysis"
id: "b347cdbc-a0ee-5901-b61e-356d6ea49d6d"