BEC/Fraud: Generic scam attempt to undisclosed recipients

Detects potential generic scams by analyzing text within the email body and other suspicious signals.

Sublime rule (View on GitHub)

 1name: "BEC/Fraud: Generic scam attempt to undisclosed recipients"
 2description: |
 3    Detects potential generic scams by analyzing text within the email body and other suspicious signals.
 4type: "rule"
 5severity: "low"
 6source: |
 7  type.inbound
 8  
 9  // undisclosed recipients
10  and any([recipients.to, recipients.bcc, recipients.cc],
11          any(., .display_name =~ "Undisclosed recipients")
12  )
13  
14  // mismatched sender (from) and Reply-to
15  and any(headers.reply_to,
16          length(headers.reply_to) > 0
17          and all(headers.reply_to,
18                  .email.domain.root_domain != sender.email.domain.root_domain
19          )
20  )
21  
22  // generic recipient
23  and any(ml.nlu_classifier(body.current_thread.text).entities,
24          .name == "recipient" and regex.icontains(.text, "(sir|madam)")
25  )
26  
27  // request made
28  and any(ml.nlu_classifier(body.current_thread.text).entities,
29          .name == "request"
30  )
31  
32  // not a bec scam
33  and all(ml.nlu_classifier(body.current_thread.text).intents, .name != "bec")
34  
35  // negate highly trusted sender domains unless they fail DMARC authentication
36  and (
37    (
38      sender.email.domain.root_domain in $high_trust_sender_root_domains
39      and not headers.auth_summary.dmarc.pass
40    )
41    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
42  )
43  and (
44    (
45      profile.by_sender().prevalence in ("new", "outlier")
46      and not profile.by_sender().solicited
47    )
48    or (
49      profile.by_sender().any_messages_malicious_or_spam
50      and not profile.by_sender().any_messages_benign
51    )
52  )
53  and not profile.by_sender().any_messages_benign  
54attack_types:
55  - "BEC/Fraud"
56tactics_and_techniques:
57  - "Social engineering"
58detection_methods:
59  - "Content analysis"
60  - "Header analysis"
61  - "Natural Language Understanding"
62  - "Sender analysis"
63id: "5dac401f-d3c1-5092-aba4-58ab597c702b"
to-top