sublimemediumRule

Sender: IP address in local part

Detects messages where the sender's email local part contains an IPv4 address, which is commonly used in malicious campaigns to bypass filters or appear legitimate.

MITRE ATT&CK

T1566 T1566.001 T1566.002 T1598 T1534 T1656 T1036 T1027

defense-evasioninitial-access

Detection Query

type.inbound
and length(body.current_thread.text) > 100
and regex.icontains(sender.email.local_part,
                    '(?:\d{1,3}\.){3}\d{1,3}[^\.][[:alpha:]]+',
                    '[[:alpha:]]+(?:\d{1,3}\.){3}\d{1,3}[^\.]'
)
and not (
  strings.ilike(sender.email.local_part, "*report*", "*abuse*")
  or any(ml.nlu_classifier(body.current_thread.text).topics,
         .name == "Bounce Back and Delivery Failure Notifications"
         and .confidence != "low"
  )
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

Tags

Attack surface reduction

Raw Content

name: "Sender: IP address in local part"
description: "Detects messages where the sender's email local part contains an IPv4 address, which is commonly used in malicious campaigns to bypass filters or appear legitimate."
type: "rule"
severity: "medium"
source: |
  type.inbound
  and length(body.current_thread.text) > 100
  and regex.icontains(sender.email.local_part,
                      '(?:\d{1,3}\.){3}\d{1,3}[^\.][[:alpha:]]+',
                      '[[:alpha:]]+(?:\d{1,3}\.){3}\d{1,3}[^\.]'
  )
  and not (
    strings.ilike(sender.email.local_part, "*report*", "*abuse*")
    or any(ml.nlu_classifier(body.current_thread.text).topics,
           .name == "Bounce Back and Delivery Failure Notifications"
           and .confidence != "low"
    )
  )
tags:
  - "Attack surface reduction"
attack_types:
  - "Spam"
  - "Credential Phishing"
  - "BEC/Fraud"
tactics_and_techniques:
  - "Evasion"
  - "Spoofing"
detection_methods:
  - "Sender analysis"
id: "e271fa80-e10e-5f75-b218-5b92bae97655"