PenPal Scam

This rule detects messages from individuals looking to establish contact under the guise of seeking friendship or a penpal relationship. Over time, they build trust and then exploit this relationship by asking for money, personal information, or involvement in suspicious activities.

Sublime rule (View on GitHub)

 1name: "PenPal Scam"
 2description: "This rule detects messages from individuals looking to establish contact under the guise of seeking friendship or a penpal relationship. Over time, they build trust and then exploit this relationship by asking for money, personal information, or involvement in suspicious activities."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  
 8  // the sender or the reply-to is a freemail provider
 9  and (
10    sender.email.domain.domain in $free_email_providers
11    or any(headers.reply_to,
12           .email.domain.root_domain in $free_email_providers
13           and not sender.email.domain.root_domain in $free_email_providers
14    )
15  )
16  
17  // body contains pen ?pal
18  and regex.contains(body.current_thread.text, 'pen\s?pal')
19  
20  // and NLU Request
21  and any(ml.nlu_classifier(body.current_thread.text).entities,
22          .name == "request"
23  )
24  
25  // not a reply
26  and (
27    length(headers.references) == 0
28    or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
29  )
30  
31  // new sender
32  and (
33    (
34      profile.by_sender().prevalence in ("new", "outlier")
35      and not profile.by_sender().solicited
36    )
37    or profile.by_sender().any_messages_malicious_or_spam
38  )
39  and not profile.by_sender().any_false_positives
40  
41  // negate highly trusted sender domains unless they fail DMARC authentication
42  and (
43    (
44      sender.email.domain.root_domain in $high_trust_sender_root_domains
45      and (
46        any(distinct(headers.hops, .authentication_results.dmarc is not null),
47            strings.ilike(.authentication_results.dmarc, "*fail")
48        )
49      )
50    )
51    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
52  )  
53
54attack_types:
55  - "BEC/Fraud"
56tactics_and_techniques:
57  - "Free email provider"
58  - "Social engineering"
59detection_methods:
60  - "Content analysis"
61  - "Header analysis"
62  - "Sender analysis"
63id: "a4bdfa17-7527-5ee2-a27b-44d03e190773"
to-top