Medium Severity
Free Email Provider Sender with Mismatched Provider Reply-To
Description
Detects when a sender using a free email provider includes a reply-to address from a different free email provider, which is a common social engineering tactic.
References
No references.
Sublime Security
Created May 23rd, 2025 • Last updated May 23rd, 2025
Feed Source
Sublime Core Feed
Source
type.inbound
and sender.email.domain.root_domain in $free_email_providers
and length(headers.reply_to) > 0
and any(headers.reply_to,
.email.domain.root_domain in $free_email_providers
and .email.domain.root_domain != sender.email.domain.root_domain
and .email.domain.root_domain not in ("googlegroups.com")
)
// secureserver.net seems to rewrite the sender local part to be the reply-to domain for bounces
// observed in many newsletter sent via secureserver.net
and not (
strings.istarts_with(sender.email.domain.domain, 'bounces.')
and sender.email.domain.root_domain == 'secureserver.net'
and all(headers.reply_to,
strings.istarts_with(sender.email.local_part, .email.local_part)
and strings.iends_with(sender.email.local_part, .email.domain.domain)
)
)
// lists.riseup.net send from the list address and use the reply-to of the sender
// the sender is within the X-Original-From header and contains the full "From" header
and not (
sender.email.domain.domain == "lists.riseup.net"
and any(headers.hops,
any(.fields,
.name =~ "X-Original-From"
and any(headers.reply_to,
strings.icontains(..value, .email.email)
)
)
)
)
Playground
Test against your own EMLs or sample data.