
Summary
Detects inbound emails that carry forged prior-thread histories using abnormally spaced colon headers in the preamble. The rule targets messages that reference organization VIP recipients in earlier threads who are not present in the current live recipients, indicating an attempt to manufacture legitimacy. It particularly focuses on impersonation tied to VIPs (e.g., finance or accounts payable workflows) and fraud signals such as overdue invoices, balance statements, and payment requests. The detector looks for a previous thread with a single recipient (no CC), a preamble containing at least two instances of a space around a colon, and a header-like pattern that mimics generated preambles. It then cross-checks whether the VIPs referenced in the prior thread appear as recipients (via email or display_name) in the organization VIP list (org_vips) and are absent from the live message’s recipients in either the To or CC fields. A fallback path checks for VIPs present only in the display_name when there is no corresponding email address, again ensuring they do not appear among the live recipients. The rule uses content analysis, header analysis, and sender analysis to detect impersonation, spoofing, and social-engineering variants, classifying as BEC/Fraud. The rule is designed to catch fabricated thread histories and misrepresented VIPs to push fraudulent payment actions, while leveraging programmatic preambles as a stealth signal. Potential limitations include false positives in legitimate multi-thread discussions involving VIPs or preambles mimicking legitimate headers. Recommended mitigations include enforcing strict header formatting, validating VIP presence against live recipient lists, and supplementing with DMARC/DKIM/SPF signals and vendor/vendor invoice verification where applicable.
Categories
- Network
- Endpoint
- Application
Data Sources
- Network Traffic
- Application Log
- Process
Created: 2026-07-09