BEC/Fraud: Scam lure with freemail pivot

 1name: "BEC/Fraud: Scam lure with freemail pivot"
 2description: "This message detects BEC/Fraud lures attempting to solicit the victim to pivot out of band via a freemail address in the body."
 3type: "rule"
 4severity: "low"
 5source: |
 6  type.inbound
 7  
 8  // body is short
 9  and length(body.current_thread.text) < 800
10  
11  // one recipient
12  and length(recipients.to) == 1
13  
14  // all recipients are the sender
15  and all(recipients.to,
16          .email.email == sender.email.email
17          and (
18            .email.domain.valid or strings.icontains(.display_name, "undisclosed")
19          )
20  )
21  
22  // not an org domain
23  and all(recipients.to,
24          .email.domain.root_domain not in $org_domains
25          and (
26            .email.domain.valid or strings.icontains(.display_name, "undisclosed")
27          )
28  )
29  
30  // one link
31  and length(body.links) == 1
32  
33  // links don't match sender
34  and all(body.links,
35          .href_url.domain.root_domain != sender.email.domain.root_domain
36  )
37  
38  // scam indicators
39  and regex.icontains(body.current_thread.text,
40                      '((?:Mr|Mrs|Ms|Miss|Dr|Prof|Sir|Lady|Rev)\.?[ \t]+)|(sir|madam|kindly)|(dringend|eingefordert|anspruch)'
41  )
42  
43  // body contains an email address to a freemail provider
44  and (
45    regex.contains(body.current_thread.text,
46                   "[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\.[A-Za-z]{2,}"
47    )
48    and any($free_email_providers, strings.icontains(body.current_thread.text, .))
49  )  
50attack_types:
51  - "BEC/Fraud"
52tactics_and_techniques:
53  - "Free email provider"
54  - "Out of band pivot"
55detection_methods:
56  - "Content analysis"
57  - "Header analysis"
58  - "Sender analysis"
59id: "898c769f-45a4-5561-8d51-be765addcf1d"