BEC/Fraud: Scam Lure with freemail pivot

calendar Jun 3, 2024  ยท
Share on: linkedin copy

This message detects BEC/Fraud lures attempting to solicit the victim to pivot out of band via a freemail address in the body.

Sublime rule (View on GitHub)

 1name: "BEC/Fraud: Scam Lure with freemail pivot"
 2description: "This message detects BEC/Fraud lures attempting to solicit the victim to pivot out of band via a freemail address in the body."
 3type: "rule"
 4severity: "low"
 5source: |
 6  type.inbound
 7  
 8  // body is short
 9  and length(body.current_thread.text) < 800
10  
11  // one recipient
12  and length(recipients.to) == 1
13  
14  // all recipients are the sender
15  and all(recipients.to,
16          .email.email == sender.email.email
17          and (
18            .email.domain.valid or strings.icontains(.display_name, "undisclosed")
19          )
20  )
21  
22  // not an org domain
23  and all(recipients.to,
24          .email.domain.root_domain not in $org_domains
25          and (
26            .email.domain.valid or strings.icontains(.display_name, "undisclosed")
27          )
28  )
29  
30  // one link
31  and length(body.links) == 1
32  
33  // links don't match sender
34  and all(body.links,
35          .href_url.domain.root_domain != sender.email.domain.root_domain
36  )
37  
38  // scam indicators
39  and regex.icontains(body.current_thread.text,
40                      '((?:Mr|Mrs|Ms|Miss|Dr|Prof|Sir|Lady|Rev)\.?[ \t]+)|(sir|madam|kindly)|(dringend|eingefordert|anspruch)'
41  )
42  
43  // body contains an email address to a freemail provider
44  and (
45    regex.contains(body.current_thread.text,
46                   "[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\.[A-Za-z]{2,}"
47    )
48    and any($free_email_providers, strings.icontains(body.current_thread.text, .))
49  )
50  
51  // new and unsolicited and no malicious or FP's
52  and (
53    (
54      profile.by_sender().prevalence in ("new", "outlier")
55      and not profile.by_sender().solicited
56    )
57    or (
58      profile.by_sender().any_messages_malicious_or_spam
59      and not profile.by_sender().any_false_positives
60    )
61  )
62  and not profile.by_sender().any_false_positives  
63attack_types:
64  - "BEC/Fraud"
65tactics_and_techniques:
66  - "Free email provider"
67  - "Out of band pivot"
68detection_methods:
69  - "Content analysis"
70  - "Header analysis"
71  - "Sender analysis"
72id: "898c769f-45a4-5561-8d51-be765addcf1d"
to-top