EXPLORE
Sign In
← Back to Explore
sublimemediumRule

Self-sender with copy/paste instructions and suspicious domains (French/Français)

Detects messages where the sender emails themselves with French text containing 'copier' (copy) and 'coller' (paste) instructions, along with suspicious domains like pages.dev or web.app. The subject line contains both the sender's email and display name, which are different values.

MITRE ATT&CK

T1566T1566.001T1566.002T1598T1036T1027
defense-evasioninitial-access

Detection Query

type.inbound
// self sender
and (
  length(recipients.to) == 1
  and length(recipients.cc) == 0
  and sender.email.email in map(recipients.to, .email.email)
)
and strings.icontains(subject.subject, sender.email.email)
and strings.icontains(subject.subject, sender.display_name)
and sender.email.email != sender.display_name
// copy
and strings.icontains(body.current_thread.text, 'copier')
// paste
and strings.icontains(body.current_thread.text, 'coller')
and (
  strings.contains(body.current_thread.text, '.pages.dev')
  or strings.contains(body.current_thread.text, '.web.app')
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Self-sender with copy/paste instructions and suspicious domains (French/Français)"
description: "Detects messages where the sender emails themselves with French text containing 'copier' (copy) and 'coller' (paste) instructions, along with suspicious domains like pages.dev or web.app. The subject line contains both the sender's email and display name, which are different values."
type: "rule"
severity: "medium"
source: |
  type.inbound
  // self sender
  and (
    length(recipients.to) == 1
    and length(recipients.cc) == 0
    and sender.email.email in map(recipients.to, .email.email)
  )
  and strings.icontains(subject.subject, sender.email.email)
  and strings.icontains(subject.subject, sender.display_name)
  and sender.email.email != sender.display_name
  // copy
  and strings.icontains(body.current_thread.text, 'copier')
  // paste
  and strings.icontains(body.current_thread.text, 'coller')
  and (
    strings.contains(body.current_thread.text, '.pages.dev')
    or strings.contains(body.current_thread.text, '.web.app')
  )
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Evasion"
  - "Free subdomain host"
  - "Social engineering"
detection_methods:
  - "Content analysis"
  - "Header analysis"
  - "Sender analysis"
id: "f51a5025-71f6-5626-a292-3e75dda0a1e7"