BEC/Fraud: Scam Lure with freemail pivot
This message detects BEC/Fraud Lure's attempting to solicit the victim to pivot out of band via a freemail address in the body.
Sublime rule (View on GitHub)
1name: "BEC/Fraud: Scam Lure with freemail pivot"
2description: "This message detects BEC/Fraud Lure's attempting to solicit the victim to pivot out of band via a freemail address in the body."
3type: "rule"
4severity: "low"
5source: |
6 type.inbound
7
8 // body is short
9 and length(body.current_thread.text) < 800
10
11 // one recipient
12 and length(recipients.to) == 1
13
14 // all recipients are the sender
15 and all(recipients.to, .email.email == sender.email.email and (.email.domain.valid or strings.icontains(.display_name, "undisclosed")))
16
17 // not an org domain
18 and all(recipients.to, .email.domain.root_domain not in $org_domains and (.email.domain.valid or strings.icontains(.display_name, "undisclosed")))
19
20 // one link
21 and length(body.links) ==1
22
23 // links don't match sender
24 and all(body.links, .href_url.domain.root_domain != sender.email.domain.root_domain)
25
26 // scam indicators
27 and regex.icontains(body.current_thread.text, '((?:Mr|Mrs|Ms|Miss|Dr|Prof|Sir|Lady|Rev)\.?[ \t]+)|(sir|madam|kindly)'
28 )
29
30 // body contains an email address to a freemail provider
31 and (
32 regex.contains(body.current_thread.text, "[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\.[A-Za-z]{2,}")
33 and any($free_email_providers, strings.icontains(body.current_thread.text, .))
34 )
35
36 // new and unsolicited and no malicious or FP's
37 and (
38 (
39 profile.by_sender().prevalence in ("new", "outlier")
40 and not profile.by_sender().solicited
41 )
42 or (
43 profile.by_sender().any_messages_malicious_or_spam
44 and not profile.by_sender().any_false_positives
45 )
46 )
47 and not profile.by_sender().any_false_positives
48attack_types:
49 - "BEC/Fraud"
50tactics_and_techniques:
51 - "Free email provider"
52 - "Out of band pivot"
53detection_methods:
54 - "Content analysis"
55 - "Header analysis"
56 - "Sender analysis"
57id: "898c769f-45a4-5561-8d51-be765addcf1d"