High Severity

Headers: X-Source-Auth mismatch with mismatched reply-to domain

Labels

BEC/Fraud
Social engineering
Spoofing
Content analysis
Header analysis
Natural Language Understanding
Sender analysis

Description

Detects messages where the X-Source-Auth header value doesn't match the sender's email address and the reply-to domain differs from the sender's domain, indicating potential sender spoofing or impersonation.

References

No references.

Sublime Security
Created May 21st, 2026 • Last updated May 21st, 2026
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
// X-Source-Auth doesn't match sender
and any(headers.hops,
        any(.fields,
            .name == 'X-Source-Auth'
            and .value != sender.email.email
            and strings.parse_email(.value).email is not null
        )
)
// mismatched sender (from) and Reply-to
and length(headers.reply_to) > 0
and all(headers.reply_to,
        .email.domain.root_domain != sender.email.domain.root_domain
)
and length(ml.nlu_classifier(body.current_thread.text).intents) > 0
and not any(ml.nlu_classifier(body.current_thread.text).intents,
            .name == 'benign' and .confidence != 'low'
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started