sublime-security · cybher0808 · Dec 23, 2025
@@ -1,79 +1,32 @@
-name: "Reconnaissance: Short generic greeting message"
-description: |
-  Detects potential reconnaissance messages with very short, generic content like 'Hi' or 'Hello' from external senders. These messages are often used to validate email addresses and test deliverability before launching larger attacks.
-type: "rule"
-severity: "medium"
-source: |
-  type.inbound
-  and length(body.current_thread.text) <= 20
-  and length(subject.base) <= 15
-  // exclude messages with previous thread context (forwards/replies)
-  and length(body.previous_threads) == 0
-  // detect generic greetings
-  and (
-    any(ml.nlu_classifier(body.current_thread.text).entities, .name == "greeting")
-    or strings.ilike(body.current_thread.text, "*hi*", "*hello*", "*hey*")
-    or length(body.current_thread.text) <= 5
-  )
-  // external freemail sender
-  and sender.email.domain.root_domain in $free_email_providers
-  and sender.email.domain.root_domain not in (
-    recipients.to[0].email.domain.root_domain
-  )
-  and (
-    length(recipients.cc) == 0
-    or (
-      length(recipients.cc) > 0
-      and all(recipients.cc,
-              .email.domain.root_domain != sender.email.domain.root_domain
-      )
-    )
-  )
-  and (
-    length(recipients.bcc) == 0
-    or (
-      length(recipients.bcc) > 0
-      and all(recipients.bcc,
-              .email.domain.root_domain != sender.email.domain.root_domain
-      )
+type.inbound
+and length(body.current_thread.text) <= 20
+and length(subject.base) <= 15
+// exclude messages with previous thread context (forwards/replies)
+and length(body.previous_threads) == 0
+
+// emails referring to free email
+and sender.email.domain.root_domain in $free_email_providers
+and sender.email.domain.root_domain not in (
+  recipients.to[0].email.domain.root_domain
+)
+and (
+  length(recipients.cc) == 0
+  or (
+    length(recipients.cc) > 0
+    and all(recipients.cc,
+            .email.domain.root_domain != sender.email.domain.root_domain
     )
   )
-  // no attachments or links
-  and length(attachments) == 0
-  and length(body.current_thread.links) == 0
-  // negate sender profiles completely if auth is failing
-  and (
-    (
-      not (
-        headers.auth_summary.dmarc.pass == false
-        or headers.auth_summary.spf.pass == false
-      )
-      and (
-        not profile.by_sender().solicited
-        or (
-          profile.by_sender().any_messages_malicious_or_spam
-          and not profile.by_sender().any_false_positives
-        )
-      )
-      and not profile.by_sender().any_false_positives
-    )
-    or (
-      headers.auth_summary.dmarc.pass == false
-      or headers.auth_summary.spf.pass == false
-    )
+)
+and (
+  length(recipients.bcc) == 0
+  or (
+    length(recipients.bcc) > 0
+    and all(recipients.bcc,
+            .email.domain.root_domain != sender.email.domain.root_domain
   )
-
-tags:
- - "Attack surface reduction"
-attack_types:
-  - "BEC/Fraud"
-  - "Callback Phishing"
-tactics_and_techniques:
-  - "Social engineering"
-  - "Free email provider"
-detection_methods:
-  - "Content analysis"
-  - "Header analysis"
-  - "Natural Language Understanding"
-  - "Sender analysis"
-id: "c67dedab-91f5-5bbe-af81-f9895a02c065"
+)
+// no attachments or links
+and length(attachments) == 0
+and length(body.current_thread.links) == 0
+)