heroui logo

Link: Invalid reply-to with recipient details in subject, body, and encoded link

Sublime Rules

View Source
Summary
Detects inbound emails that misuse a reply-to address by correlating recipient details across subject, body, and encoded links. The rule triggers when the reply-to header is invalid, the subject contains the recipient's domain SLD, the body includes the recipient's local_part and domain SLD, and a link in the body carries a fragment that base64-decodes to the recipient's full email. This combination targets credential phishing and BEC/fraud attempts, leveraging header, content, and URL analyses to identify spoofed communications aimed at credential or financial theft.
Categories
  • Application
  • Web
Data Sources
  • Application Log
  • Network Traffic
  • Domain Name
Created: 2026-07-17