Low Severity
Honorific greeting BEC attempt with sender and reply-to mismatch
Description
Detects generic BEC/Fraud scams by analyzing text within the email body from mismatched senders with other suspicious indicators.
References
No references.
Sublime Security
Created Nov 22nd, 2023 • Last updated Jul 16th, 2025
Feed Source
Sublime Core Feed
Source
type.inbound
// mismatched sender (From) and Reply-to + freemail
and any(headers.reply_to,
length(headers.reply_to) > 0
and all(headers.reply_to,
.email.domain.root_domain != sender.email.domain.root_domain
and .email.domain.root_domain in $free_email_providers
)
)
// use of honorific
and regex.icontains(body.current_thread.text,
'(?:Mr|Mrs|Ms|Miss|Dr|Prof|Sir|Lady|Rev)\.?[ \t]+'
)
// BEC-themed language
and (
any(ml.nlu_classifier(body.current_thread.text).intents, .name in ("bec", "advance_fee"))
and any(ml.nlu_classifier(body.current_thread.text).entities,
.name == "request"
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and (
(
profile.by_sender().prevalence in ("new", "outlier")
and not profile.by_sender().solicited
)
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
and not profile.by_sender().any_messages_benign
Playground
Test against your own EMLs or sample data.