← Back to Explore
sublimemediumRule
Reconnaissance: Email address harvesting attempt
Detects potential email harvesting or credential phishing attempts where short messages contain email addresses in the body text. These messages often try to extract contact information or validate email addresses for future attacks.
Detection Query
type.inbound
and length(subject.base) <= 15
// detect email addresses in body text
and (
regex.imatch(body.current_thread.text,
'[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}'
)
)
// external freemail sender
and sender.email.domain.root_domain in $free_email_providers
// no attachments but allow one link
and length(attachments) == 0
and length(body.current_thread.links) == 1
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Tags
Attack surface reduction
Raw Content
name: "Reconnaissance: Email address harvesting attempt"
description: |
Detects potential email harvesting or credential phishing attempts where short messages contain email addresses in the body text. These messages often try to extract contact information or validate email addresses for future attacks.
type: "rule"
severity: "medium"
source: |
type.inbound
and length(subject.base) <= 15
// detect email addresses in body text
and (
regex.imatch(body.current_thread.text,
'[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}'
)
)
// external freemail sender
and sender.email.domain.root_domain in $free_email_providers
// no attachments but allow one link
and length(attachments) == 0
and length(body.current_thread.links) == 1
tags:
- "Attack surface reduction"
attack_types:
- "BEC/Fraud"
- "Credential Phishing"
- "Spam"
tactics_and_techniques:
- "Free email provider"
- "Social engineering"
detection_methods:
- "Content analysis"
- "Header analysis"
- "Sender analysis"
- "URL analysis"
id: "bb31efbc-e96d-5697-80ce-343881ee221f"