← Back to Explore
sublimemediumRule
Fake message thread - Untrusted sender with a mismatched freemail reply-to address
Fake Message Threads or Chain Reuse is a common confidence technique exploited by threat actors to bolster credibility. This is typically used in conjunction with a reply-to address that is not the same as the sender address.
Detection Query
type.inbound
and (
(
profile.by_sender_email().prevalence in ("new", "outlier")
and not profile.by_sender().solicited
)
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
// Reply-to is a freemail sender but From is not
and any(headers.reply_to,
.email.domain.domain in $free_email_providers
and not .email.domain.domain == sender.email.domain.domain
)
// Exclude marketing emails
and not strings.ilike(sender.email.local_part,
"support",
"sales",
"noreply",
"marketing"
)
// Exclude mailing lists
and not any(headers.hops,
any(.fields,
.name in ("x-google-group-id", "list-post", "mailing-list")
)
)
// Check for Message Thread Indicators
and (
regex.icontains(subject.subject, '\b(?:RE|FWD?)\s*:')
or any([body.current_thread.text, body.html.display_text, body.plain.raw],
3 of (
strings.icontains(., "from:"),
strings.icontains(., "to:"),
strings.icontains(., "sent:"),
strings.icontains(., "date:"),
strings.icontains(., "cc:"),
strings.icontains(., "subject:")
)
)
)
// Check for the Presence of References or In-Reply-To properties
and (length(headers.references) == 0 or headers.in_reply_to is null)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Fake message thread - Untrusted sender with a mismatched freemail reply-to address"
description: |
Fake Message Threads or Chain Reuse is a common confidence technique exploited by threat actors to bolster credibility.
This is typically used in conjunction with a reply-to address that is not the same as the sender address.
references:
- "https://playground.sublimesecurity.com?id=5ab9a225-4de3-494f-9a55-e16ec9e1e5c3"
type: "rule"
severity: "medium"
source: |
type.inbound
and (
(
profile.by_sender_email().prevalence in ("new", "outlier")
and not profile.by_sender().solicited
)
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
// Reply-to is a freemail sender but From is not
and any(headers.reply_to,
.email.domain.domain in $free_email_providers
and not .email.domain.domain == sender.email.domain.domain
)
// Exclude marketing emails
and not strings.ilike(sender.email.local_part,
"support",
"sales",
"noreply",
"marketing"
)
// Exclude mailing lists
and not any(headers.hops,
any(.fields,
.name in ("x-google-group-id", "list-post", "mailing-list")
)
)
// Check for Message Thread Indicators
and (
regex.icontains(subject.subject, '\b(?:RE|FWD?)\s*:')
or any([body.current_thread.text, body.html.display_text, body.plain.raw],
3 of (
strings.icontains(., "from:"),
strings.icontains(., "to:"),
strings.icontains(., "sent:"),
strings.icontains(., "date:"),
strings.icontains(., "cc:"),
strings.icontains(., "subject:")
)
)
)
// Check for the Presence of References or In-Reply-To properties
and (length(headers.references) == 0 or headers.in_reply_to is null)
attack_types:
- "BEC/Fraud"
tactics_and_techniques:
- "Free email provider"
- "Social engineering"
detection_methods:
- "Content analysis"
- "Header analysis"
- "Sender analysis"
id: "ca64e819-576b-574a-abcc-63f1916e8a41"