From e0af2a9a8a01d23853e87b7ad01b05d402684715 Mon Sep 17 00:00:00 2001 From: Luke Wescott <69780712+IndiaAce@users.noreply.github.com> Date: Mon, 3 Nov 2025 16:30:53 -0500 Subject: [PATCH 1/2] Creating a rule from a runner to look for suspected thread hijacking and financial motivation --- ...domain_spoofing_with_financial_content.yml | 47 +++++++++++++++++++ 1 file changed, 47 insertions(+) create mode 100644 detection-rules/thread_hijack_domain_spoofing_with_financial_content.yml diff --git a/detection-rules/thread_hijack_domain_spoofing_with_financial_content.yml b/detection-rules/thread_hijack_domain_spoofing_with_financial_content.yml new file mode 100644 index 00000000000..b0c7c1904d2 --- /dev/null +++ b/detection-rules/thread_hijack_domain_spoofing_with_financial_content.yml @@ -0,0 +1,47 @@ +name: "Thread hijacking: Domain spoofing with financial content" +description: "Detects messages that appear to be part of an existing email thread but originate from a different domain than previous participants, combined with suspicious sender characteristics and financial content indicators." +type: "rule" +severity: "medium" +source: | + type.inbound + and ( + // message is part of an existing thread + length(headers.references) > 0 + or headers.in_reply_to is not null + ) + and ( + // domain spoofing: sender domain differs from domains in thread history + any(body.previous_threads, + any(regex.iextract(.preamble, '<([^>]+@[^>]+)>'), + strings.parse_email(.groups[0]).domain.root_domain != sender.email.domain.root_domain + ) + ) + ) + and ( + // suspicious sender characteristics + sender.email.domain.tld in $suspicious_tlds + or sender.email.domain.domain in $free_email_providers + ) + and ( + // financial/business content indicators + regex.icontains(body.current_thread.text, + '(bank|payment|transaction|invoice|swift|wire|transfer|account|financial|money|usd|dollar)' + ) + ) + and ( + // standard reputation checks + not profile.by_sender().solicited + or profile.by_sender().any_messages_malicious_or_spam + ) + and not profile.by_sender().any_messages_benign + +attack_types: + - "BEC/Fraud" +tactics_and_techniques: + - "Social engineering" + - "Spoofing" + - "Free email provider" +detection_methods: + - "Content analysis" + - "Header analysis" + - "Sender analysis" From cd7c948e442dea9a26b0baaaf23fffab36518ba8 Mon Sep 17 00:00:00 2001 From: ID Generator Date: Mon, 3 Nov 2025 21:40:34 +0000 Subject: [PATCH 2/2] Auto add rule ID --- .../thread_hijack_domain_spoofing_with_financial_content.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/detection-rules/thread_hijack_domain_spoofing_with_financial_content.yml b/detection-rules/thread_hijack_domain_spoofing_with_financial_content.yml index b0c7c1904d2..0dcf4eb36b1 100644 --- a/detection-rules/thread_hijack_domain_spoofing_with_financial_content.yml +++ b/detection-rules/thread_hijack_domain_spoofing_with_financial_content.yml @@ -45,3 +45,4 @@ detection_methods: - "Content analysis" - "Header analysis" - "Sender analysis" +id: "7428de53-7b52-5ef5-81ba-c537e94a5711"