BEC/Fraud: Romance Scam

This rule detects messages attempting to initiate a Romance scam. The rule leverage tells such as undisclosed recipients, freemail emails in the body and common scam phrasing. Romance scams are deceptive schemes where scammers establish false romantic intentions towards individuals to gain their trust and eventually exploit them financially.

Sublime rule (View on GitHub)

 1name: "BEC/Fraud: Romance Scam"
 2description: "This rule detects messages attempting to initiate a Romance scam. The rule leverage tells such as undisclosed recipients, freemail emails in the body and common scam phrasing. Romance scams are deceptive schemes where scammers establish false romantic intentions towards individuals to gain their trust and eventually exploit them financially."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  
 8  // no links
 9  and (
10    length(body.links) == 0
11  
12    // or 1 link, but link doesn't match the sender's domain
13    or (
14      length(body.links) == 1
15      and sender.email.domain.root_domain not in $free_email_providers
16      and all(body.links,
17              .href_url.domain.root_domain != sender.email.domain.root_domain
18      )
19    )
20  )
21  
22  // no attachments
23  and length(attachments) == 0
24  
25  // honorific 
26  and regex.icontains(sender.display_name,
27                      '(?:Mr|Mrs|Ms|Miss|Dr|Prof|Sir|Lady|Rev)\.?[ \t]+'
28  )
29  
30  // And an email is found in the body, and a freemail domain is found also
31  and (
32    regex.contains(body.current_thread.text,
33                   "[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\.[A-Za-z]{2,}"
34    )
35    and any($free_email_providers, strings.icontains(body.current_thread.text, .))
36  )
37  
38  // common scammy phrases
39  and regex.icontains(body.current_thread.text,
40                      "(I am|My name is) .* (from|staying in) .+\\.",
41                      ".*(years old|cm|kg).*\\.",
42                      ".*(photo|pictures|sexy).*\\.",
43                      ".*(email|contact me|write to me|reply to me) at .*@.*\\."
44  )
45  and (
46    (
47      profile.by_sender().prevalence in ("new", "outlier")
48      and not profile.by_sender().solicited
49    )
50    or (
51      profile.by_sender().any_messages_malicious_or_spam
52      and not profile.by_sender().any_false_positives
53    )
54  )
55  and not profile.by_sender().any_false_positives  
56attack_types:
57  - "BEC/Fraud"
58tactics_and_techniques:
59  - "Free email provider"
60  - "Social engineering"
61detection_methods:
62  - "Content analysis"
63  - "Header analysis"
64id: "0243cdaa-b9c9-5df2-a309-debf06d909a7"
to-top