Free email provider sender with mismatched provider reply-to

name: "Free email provider sender with mismatched provider reply-to"
description: "Detects when a sender using a free email provider includes a reply-to address from a different free email provider, which is a common social engineering tactic."
type: "rule"
severity: "medium"
source: |
  type.inbound
  and sender.email.domain.root_domain in $free_email_providers
  and length(headers.reply_to) > 0
  and any(headers.reply_to,
          .email.domain.root_domain in $free_email_providers
          and .email.domain.root_domain != sender.email.domain.root_domain
          and .email.domain.root_domain not in ("googlegroups.com")
  )
  // secureserver.net seems to rewrite the sender local part to be the reply-to domain for bounces
  // observed in many newsletter sent via secureserver.net
  and not (
    strings.istarts_with(sender.email.domain.domain, 'bounces.')
    and sender.email.domain.root_domain == 'secureserver.net'
    and all(headers.reply_to,
            strings.istarts_with(sender.email.local_part, .email.local_part)
            and strings.iends_with(sender.email.local_part, .email.domain.domain)
    )
  )
  // lists.riseup.net send from the list address and use the reply-to of the sender
  // the sender is within the X-Original-From header and contains the full "From" header
  and not (
    sender.email.domain.domain == "lists.riseup.net"
    and any(headers.hops,
            any(.fields,
                .name =~ "X-Original-From"
                and any(headers.reply_to,
                        strings.icontains(..value, .email.email)
                )
            )
    )
  )
tags:
  - "Attack surface reduction"
attack_types:
  - "BEC/Fraud"
  - "Credential Phishing"
tactics_and_techniques:
  - "Free email provider"
  - "Social engineering"
detection_methods:
  - "Header analysis"
  - "Sender analysis"
id: "fcd831d0-9e03-5c9a-aa2f-af37d3a8c156"