Medium Severity
Fake Message Thread - Untrusted Sender with a Mismatched Freemail Reply-To Address
Description
Fake Message Threads or Chain Reuse is a common confidence technique exploited by threat actors to bolster credibility. This is typically used in conjunction with a reply-to address that is not the same as the sender address.
Sublime Security
Created Aug 17th, 2023 • Last updated Jul 16th, 2025
Feed Source
Sublime Core Feed
Source
type.inbound
and (
(
profile.by_sender_email().prevalence in ("new", "outlier")
and not profile.by_sender().solicited
)
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
// Reply-to is a freemail sender but From is not
and any(headers.reply_to,
.email.domain.domain in $free_email_providers
and not .email.domain.domain == sender.email.domain.domain
)
// Exclude marketing emails
and not strings.ilike(sender.email.local_part,
"support",
"sales",
"noreply",
"marketing"
)
// Exclude mailing lists
and not any(headers.hops,
any(.fields,
.name in (
"x-google-group-id",
"list-post",
"mailing-list"
)
)
)
// Check for Message Thread Indicators
and (
regex.icontains(subject.subject, '\b(?:RE|FWD?)\s*:')
or any([body.current_thread.text, body.html.display_text, body.plain.raw],
3 of (
strings.icontains(., "from:"),
strings.icontains(., "to:"),
strings.icontains(., "sent:"),
strings.icontains(., "date:"),
strings.icontains(., "cc:"),
strings.icontains(., "subject:")
)
)
)
// Check for the Presence of References or In-Reply-To properties
and (length(headers.references) == 0 or headers.in_reply_to is null)
Playground
Test against your own EMLs or sample data.