sublimemediumRule

Headers: Invalid recipient domain with mismatched reply-to from new sender

Message sent to an invalid recipient domain with a reply-to address that differs from the sender address, originating from a new sender.

MITRE ATT&CK

T1566.002 T1534 T1656 T1566 T1566.001 T1598 T1036 T1027

defense-evasioninitial-access

Detection Query

type.inbound
and length(recipients.to) <= 1
and all(recipients.to, .email.domain.valid == false)
and length(headers.reply_to) == 1
and headers.reply_to[0].email.domain.root_domain != sender.email.domain.root_domain
and profile.by_sender_email().prevalence == "new"

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

Tags

Attack surface reduction

Raw Content

name: "Headers: Invalid recipient domain with mismatched reply-to from new sender"
description: "Message sent to an invalid recipient domain with a reply-to address that differs from the sender address, originating from a new sender."
type: "rule"
severity: "medium"
false_positives:
  - "Any sender that fails email authentication will trigger the prevalence logic. For recurring benign senders, apply sender exclusions to prevent unnecessary matches."
source: |
  type.inbound
  and length(recipients.to) <= 1
  and all(recipients.to, .email.domain.valid == false)
  and length(headers.reply_to) == 1
  and headers.reply_to[0].email.domain.root_domain != sender.email.domain.root_domain
  and profile.by_sender_email().prevalence == "new"
tags:
  - "Attack surface reduction"
attack_types:
  - "BEC/Fraud"
  - "Credential Phishing"
  - "Spam"
tactics_and_techniques:
  - "Evasion"
  - "Social engineering"
detection_methods:
  - "Header analysis"
  - "Sender analysis"
id: "f375ded1-a60e-58db-af3b-ef4983883196"