Medium Severity

Newly registered sender or reply-to domain with newly registered linked domain

Labels

BEC/Fraud

Credential Phishing

Description

This rule detects inbound emails that contain links and a reply-to address, where either the sender domain or the reply-to domain is newly registered (≤30 days old), and at least one linked domain is also very new (≤14 days old). It flags potential phishing or business email compromise attempts that use recently created infrastructure and reply-to mismatch tactics to bypass trust and impersonate legitimate contacts.

References

No references.

Sublime Security

Created Jul 7th, 2025 • Last updated Aug 5th, 2025

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and length(body.links) > 0
and length(headers.reply_to) > 0
and (
  any(headers.reply_to,
      network.whois(.email.domain).days_old <= 30
      and .email.email != sender.email.email
  )
  or network.whois(sender.email.domain).days_old <= 30
)
and any(distinct(body.links, .href_url.domain.root_domain),
        network.whois(.href_url.domain).days_old < 14
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.