• Sublime Core Feed
Medium Severity

Business Email Compromise (BEC) attempt from unsolicited sender

Labels

BEC/Fraud
Social engineering
Spoofing
Content analysis
File analysis
Header analysis
Sender analysis

Description

Detects potential Business Email Compromise (BEC) attacks by analyzing text within the email body from unsolicited senders.

References

No references.

Sublime Security
Created Aug 17th, 2023 • Last updated Jul 16th, 2025
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and any(ml.nlu_classifier(body.current_thread.text).intents,
        .name in ("bec") and .confidence == "high"
)
and 
// mismatched From and Reply-to
(
  (
    length(headers.reply_to) > 0
    and all(headers.reply_to,
            .email.domain.root_domain != sender.email.domain.root_domain
    )
  )
  or not headers.auth_summary.dmarc.pass
  or not headers.auth_summary.spf.pass
)

// negate "via" senders via dmarc authentication or gmail autoforwards
and not (
  strings.ilike(headers.return_path.local_part, "*+caf_=*")
  and strings.contains(sender.display_name, "via")
  and (headers.auth_summary.dmarc.pass)
)
and (
  not profile.by_sender().solicited
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_messages_benign
  )
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started