High Severity
Generic Service Abuse From Newly Registered Domain
Description
Detects messages from services that write the true sender to the reply-to field, where the sender has no prior legitimate message history and is newly registered. Indicative of service abuse.
References
No references.
Sublime Security
Created Apr 15th, 2025 • Last updated Apr 15th, 2025
Feed Source
Sublime Core Feed
Source
type.inbound
and any(headers.reply_to, network.whois(.email.domain).days_old < 30)
and sender.email.domain.domain in $replyto_service_domains
//
// This rule makes use of a beta feature and is subject to change without notice
// using the beta feature in custom rules is not suggested until it has been formally released
//
and not beta.profile.by_reply_to().solicited
and not beta.profile.by_reply_to().any_messages_benign
Playground
Test against your own EMLs or sample data.