BEC/Fraud: Scam Lure with freemail pivot

 1name: "BEC/Fraud: Scam Lure with freemail pivot"
 2description: "This message detects BEC/Fraud Lure's attempting to solicit the victim to pivot out of band via a freemail address in the body."
 3type: "rule"
 4severity: "low"
 5source: |
 6  type.inbound
 7  
 8  // body is short
 9  and length(body.current_thread.text) < 800
10  
11  // one recipient
12  and length(recipients.to) == 1
13  
14  // all recipients are the sender
15  and all(recipients.to, .email.email == sender.email.email and (.email.domain.valid or strings.icontains(.display_name, "undisclosed")))
16  
17  // not an org domain
18  and all(recipients.to, .email.domain.root_domain not in $org_domains and (.email.domain.valid or strings.icontains(.display_name, "undisclosed")))
19  
20  // one link
21  and length(body.links) ==1
22  
23  // links don't match sender
24  and all(body.links, .href_url.domain.root_domain != sender.email.domain.root_domain)
25  
26  // scam indicators
27  and regex.icontains(body.current_thread.text, '((?:Mr|Mrs|Ms|Miss|Dr|Prof|Sir|Lady|Rev)\.?[ \t]+)|(sir|madam|kindly)'
28    )
29  
30  // body contains an email address to a freemail provider
31  and (
32    regex.contains(body.current_thread.text, "[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\.[A-Za-z]{2,}")
33    and any($free_email_providers, strings.icontains(body.current_thread.text, .))
34  )
35  
36  // new and unsolicited and no malicious or FP's
37  and (
38    (
39      profile.by_sender().prevalence in ("new", "outlier")
40      and not profile.by_sender().solicited
41    )
42    or (
43      profile.by_sender().any_messages_malicious_or_spam
44      and not profile.by_sender().any_false_positives
45    )
46  )
47  and not profile.by_sender().any_false_positives  
48attack_types:
49  - "BEC/Fraud"
50tactics_and_techniques:
51  - "Free email provider"
52  - "Out of band pivot"
53detection_methods:
54  - "Content analysis"
55  - "Header analysis"
56  - "Sender analysis"
57id: "898c769f-45a4-5561-8d51-be765addcf1d"