Medium Severity

Business Email Compromise: Request for mobile number via reply thread hijacking

Description

This rule detects BEC attacks that use reply threads to solicit mobile numbers, evading detection rules that exclude RE: subjects.

References

No references.

Sublime Security
Created Aug 4th, 2025 • Last updated Jul 6th, 2026
Source
type.inbound
and 0 < length(body.previous_threads) < 3
and length(attachments) == 0
// Check previous_threads for mobile solicitation patterns
and any(body.previous_threads,
        (
          length(.text) < 500
          // ignore disclaimers in body length calculation
          or (
            any(map(filter(ml.nlu_classifier(.text).entities,
                           .name == "disclaimer"
                    ),
                    .text
                ),
                (length(..text) - length(.)) < 500
            )
          )
        )
        and regex.icontains(.text,
                            '(?:mobile|suitable|contact|current|cell|call|another).{0,10}(?:phone|number|#|\bno)|personal\s?(?:phone|cell|number|#)|whatsapp|\bcell|personalcell|(?:reliable|recent).{0,30}(?:phone|number).{0,15}contact|(?:share|send|confirm).{0,20}number.{0,25}(?:text|sms|whatsapp|contact|reach\syou[\s,.\?](?:by|whether|when|for))|best\s+(?:number|#).{0,10}(?:text|sms|contact|call|message|in[-\s]?touch|to\suse)'
        )
)

// NLU analysis on previous_threads content
and (
  any(body.previous_threads,
      any(ml.nlu_classifier(.text).intents,
          .name in ("bec", "advance_fee") and .confidence in ("medium", "high")
      )
  )
  or (
    // confidence can be low on very short bodies
    any(body.previous_threads, length(.text) < 550)
    and (
      any(body.previous_threads,
          any(ml.nlu_classifier(.text).intents, .name == "bec")
      )
      or any(ml.nlu_classifier(sender.display_name).intents, .name == "bec")
      or any(body.previous_threads,
             any(ml.nlu_classifier(.text).entities,
                 strings.icontains(.text, "kindly")
             )
      )
    )
  )
)
// Sender analysis
and (
  not profile.by_sender().solicited
  or profile.by_sender().any_messages_malicious_or_spam
)
and not profile.by_sender().any_messages_benign
// not high trust sender domains
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
// Ensure this is likely a hijacked thread (sender doesn't match thread participants)
and (length(headers.references) > 0 or headers.in_reply_to is not null)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Deploy and integrate a free Sublime instance in minutes.
Get Started