Medium Severity
Suspicious newly registered reply-to domain with engaging financial or urgent language
Description
Detects messages from a mismatched newly registered Reply-to domain that contain a financial or urgent request, or a request and an NLU tag with medium to high confidence, from an untrusted sender. This technique is typically observed in Vendor impersonation.
References
No references.
Sublime Security
Created Aug 17th, 2023 • Last updated Jul 16th, 2025
Feed Source
Sublime Core Feed
Source
type.inbound
and length(body.current_thread.text) < 5000
and any(headers.reply_to,
// mismatched reply-to and sender domain
.email.domain.root_domain != sender.email.domain.root_domain
// newly registered reply-to domain
and network.whois(.email.domain).days_old <= 30
)
// request is being made
and any(ml.nlu_classifier(body.current_thread.text).entities,
.name == "request"
)
// there's financial/urgency OR a tag of medium/high confidence
and (
any(ml.nlu_classifier(body.current_thread.text).entities,
.name in ("financial", "urgency")
)
or any(ml.nlu_classifier(body.current_thread.text).tags,
.name is not null and .confidence in ("medium", "high")
)
)
and (
not profile.by_sender().solicited
//
// This rule makes use of a beta feature and is subject to change without notice
// using the beta feature in custom rules is not suggested until it has been formally released
//
or not beta.profile.by_reply_to().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
Playground
Test against your own EMLs or sample data.