Service abuse: Demio notifications with suspicious content patterns

calendar May 11, 2026  ·
Share on: linkedin copy

Detects messages from Demio notifications service containing suspicious patterns including phone numbers, monetary amounts, suspicious domain references, explicit content lures, or lengthy action-oriented subjects designed to manipulate recipients.

Sublime rule (View on GitHub)

 1name: "Service abuse: Demio notifications with suspicious content patterns"
 2description: "Detects messages from Demio notifications service containing suspicious patterns including phone numbers, monetary amounts, suspicious domain references, explicit content lures, or lengthy action-oriented subjects designed to manipulate recipients."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  //
 8  //  Warning: This rule contains sexually explicit keywords
 9  //
10  and sender.email.email == 'notifications@demio.com'
11  and (
12    // phone number regex
13    regex.icontains(subject.base,
14                    '\+?(?:[ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}',
15                    '\+?(?:[ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4}'
16    )
17    // dollar amounts
18    or regex.icontains(subject.base, '(?:USD|\$)\s?\d')
19    or regex.icontains(subject.base, '\d+\.\d{2}\s?(?:USD|usd)')
20    // suspicious TLDs
21    or regex.icontains(subject.base,
22                       '\.(?:ac\.th|biz\.id|co\.(?:cl|id|za)|com\.(?:ge|py)|my\.id|ne\.jp|net\.ms|nom\.za|web\.id|accountants|am|app|ar|army|beauty|best|bet|bio|biz|bond|cam|cc|cf|cfd|chat|cl|click|cloud|club|cm|company|consulting|country|cricket|cyou|date|dev|digital|directory|domains|download|enterprises|es|expert|fashion|finance|fit|foo|free|fun|ga|gdn|gf|gq|gu|help|i2p|icu|il|ing|ink|ir|jetzt|kim|kz|lat|life|limited|link|live|loan|lol|ltd|ly|me|meme|men|ml|mom|monster|mov|mq|one|online|ooo|party|photos|pictures|pizza|press|pro|pub|pw|racing|re|ren|rest|review|ro|rsvp|ru|run|sale|sbs|science|shop|site|so|social|solutions|space|store|stream|su|sx|tech|tk|today|tokyo|top|trade|tt|ua|uno|us|vip|vu|wang|website|win|work|works|world|ws|xin|xyz|zip|zone)\b'
23    )
24    // dating/spam/explicit content lures
25    or regex.icontains(strings.replace_confusables(subject.base),
26                       '(?:\bs\s?e\s?x\b|horny|hook.?up|private room|wanna meet|wants to meet|naked|porn|webcam|nudes?|sexting|erotic|kinky|seduce|adult community|cam shows|local (?:girls?|women|single)|bed partner)'
27    )
28    // action verbs + length
29    or (
30      strings.count(subject.base, " ") > 8
31      and regex.icontains(strings.replace_confusables(subject.base),
32                          '(?:call|dial|speak to|contact \d|to (?:stop|void|reverse|confirm|secure|verify|unfreeze))'
33      )
34    )
35  )  
36attack_types:
37  - "Spam"
38tactics_and_techniques:
39  - "Social engineering"
40  - "Impersonation: Brand"
41detection_methods:
42  - "Sender analysis"
43  - "Content analysis"
44id: "d9365c88-cfcd-5046-9285-ef620441940e"
to-top