Medium Severity
Domain Impersonation: Freemail ReplyTo_Local Lookalike with Financial Request
Description
This technique takes advantage of the use of free email services for the reply-to address. By incorporating the sender domain in the local part of the reply-to address, the attacker creates a visually similar appearance to a legitimate email address.
References
No references.
Sublime Security
Created Aug 17th, 2023 • Last updated May 3rd, 2024
Feed Source
Sublime Core Feed
Source
type.inbound
and any(headers.reply_to,
.email.email != sender.email.email
and .email.domain.domain in $free_email_providers
and .email.email not in $sender_emails
and strings.contains(.email.local_part, sender.email.domain.sld)
)
and (
any(ml.nlu_classifier(body.current_thread.text).intents, .name == "bec" and .confidence in ("medium", "high"))
or (
any(ml.nlu_classifier(body.current_thread.text).entities, .name == "financial")
and any(ml.nlu_classifier(body.current_thread.text).entities, .name == "request")
and any(ml.nlu_classifier(body.current_thread.text).entities, .name == "urgency")
and any(ml.nlu_classifier(body.current_thread.text).entities, .name == "sender")
and any(ml.nlu_classifier(body.current_thread.text).intents, .name != "benign")
)
)
Playground
Test against your own EMLs or sample data.