BEC/Fraud: Romance scam

calendar Jan 22, 2026  ·
Share on: linkedin copy

This rule detects messages attempting to initiate a Romance scam. The rule leverage tells such as undisclosed recipients, freemail emails in the body and common scam phrasing. Romance scams are deceptive schemes where scammers establish false romantic intentions towards individuals to gain their trust and eventually exploit them financially.

Sublime rule (View on GitHub)

 1name: "BEC/Fraud: Romance scam"
 2description: "This rule detects messages attempting to initiate a Romance scam. The rule leverage tells such as undisclosed recipients, freemail emails in the body and common scam phrasing. Romance scams are deceptive schemes where scammers establish false romantic intentions towards individuals to gain their trust and eventually exploit them financially."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  // no links
 8  and (
 9    length(body.links) == 0
10    // or 1 link, but link doesn't match the sender's domain
11    or (
12      length(body.links) == 1
13      and sender.email.domain.root_domain not in $free_email_providers
14      and all(body.links,
15              .href_url.domain.root_domain != sender.email.domain.root_domain
16      )
17    )
18  )
19  // no attachments
20  and length(attachments) == 0
21  and (
22    (
23      // honorific
24      regex.icontains(sender.display_name,
25                      '(?:Mr|Mrs|Ms|Miss|Dr|Prof|Sir|Lady|Rev)\.?[ \t]+'
26      )
27      // And an email is found in the body, and a freemail domain is found also
28      and regex.contains(body.current_thread.text,
29                         "[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\.[A-Za-z]{2,}"
30      )
31      and any($free_email_providers,
32              strings.icontains(body.current_thread.text, .)
33      )
34      // scammy phrases
35      and regex.icontains(body.current_thread.text,
36                          '(?:I am|My name is) .* (?:from|staying in) .+\.',
37                          '(?:years old|cm|kg).*\.',
38                          '(?:photo|pictures|sexy).*\.',
39                          '(?:email|contact me|write to me|reply to me) at .*@.*\.'
40      )
41    )
42    or (
43      // simple firstname lastname from freemail
44      sender.email.domain.root_domain in $free_email_providers
45      and regex.match(sender.display_name, '[A-Z][a-z]+ [A-Z][a-z]+')
46      // short message
47      and length(body.current_thread.text) < 200
48      and regex.icontains(body.current_thread.text,
49                          "(?:I am|My name is) [^.!?]{1,30} from [^.!?]{1,50}[.!?,]"
50      )
51      and regex.icontains(body.current_thread.text,
52                          '(?:can I|please) (?:talk to|contact|meet|chat with) (?:you|me)'
53      )
54    )
55  )
56  and (
57    (
58      profile.by_sender().prevalence in ("new", "outlier")
59      and not profile.by_sender().solicited
60    )
61    or (
62      profile.by_sender().any_messages_malicious_or_spam
63      and not profile.by_sender().any_messages_benign
64    )
65  )
66  and not profile.by_sender().any_messages_benign  
67attack_types:
68  - "BEC/Fraud"
69tactics_and_techniques:
70  - "Free email provider"
71  - "Social engineering"
72detection_methods:
73  - "Content analysis"
74  - "Header analysis"
75id: "0243cdaa-b9c9-5df2-a309-debf06d909a7"
to-top