[PR #3781] added rule: Headers: Fake in-reply-to with wildcard sender and missing thread context

Author: github-actions[bot]

detection-rules/3781_headers_reply_to_wildcard_sender.yml

@@ -0,0 +1,26 @@
+name: "Headers: Fake in-reply-to with wildcard sender and missing thread context"
+description: "Detects messages claiming to be replies with In-Reply-To headers but lacking previous thread context, sent from addresses containing multiple wildcard characters in the local part."
+type: "rule"
+severity: "high"
+source: |
+  type.inbound
+  and headers.in_reply_to is not null
+  and not (subject.is_forward or subject.is_reply)
+  and length(body.previous_threads) == 0
+  and strings.count(sender.email.local_part, "*") >= 2
+
+attack_types:
+  - "BEC/Fraud"
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Evasion"
+  - "Social engineering"
+  - "Spoofing"
+detection_methods:
+  - "Header analysis"
+  - "Sender analysis"
+  - "Content analysis"
+id: "d502cde5-d6ff-5b08-9910-ceea5dd46ed9"
+og_id: "89da670a-4b03-52f7-891c-48820bb2362a"
+testing_pr: 3781
+testing_sha: bc6376fffc9cc83447f0daf306959d4223c788e7