
Link: Invalid reply-to with recipient details in subject, body, and encoded link
Sublime Rules
View SourceSummary
Detects inbound emails that misuse a reply-to address by correlating recipient details across subject, body, and encoded links. The rule triggers when the reply-to header is invalid, the subject contains the recipient's domain SLD, the body includes the recipient's local_part and domain SLD, and a link in the body carries a fragment that base64-decodes to the recipient's full email. This combination targets credential phishing and BEC/fraud attempts, leveraging header, content, and URL analyses to identify spoofed communications aimed at credential or financial theft.
Categories
- Application
- Web
Data Sources
- Application Log
- Network Traffic
- Domain Name
Created: 2026-07-17