Medium Severity
Business Email Compromise (BEC) attempt with masked recipients and reply-to mismatch (unsolicited)
Description
This rule detects unsolicited messages where the recipient matches the sender address and no other recipients are identified. The reply-to address does not match the sender, and is a freemail with no links in the body. This a common combination of techniques used by low level BEC threats.
References
No references.
Sublime Security
Created Aug 17th, 2023 • Last updated Jul 16th, 2025
Feed Source
Sublime Core Feed
Source
type.inbound
and any(recipients.to, .email.email == sender.email.email)
and length(recipients.cc) == 0
and length(recipients.bcc) == 0
and length(body.links) == 0
and any(headers.reply_to,
.email.domain.domain in $free_email_providers
and not .email.domain.domain == sender.email.domain.domain
)
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
Playground
Test against your own EMLs or sample data.