BEC/Fraud: Romance Scam
This rule detects messages attempting to initiate a Romance scam. The rule leverage tells such as undisclosed recipients, freemail emails in the body and common scam phrasing. Romance scams are deceptive schemes where scammers establish false romantic intentions towards individuals to gain their trust and eventually exploit them financially.
Sublime rule (View on GitHub)
1name: "BEC/Fraud: Romance Scam"
2description: "This rule detects messages attempting to initiate a Romance scam. The rule leverage tells such as undisclosed recipients, freemail emails in the body and common scam phrasing. Romance scams are deceptive schemes where scammers establish false romantic intentions towards individuals to gain their trust and eventually exploit them financially."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7
8 // no links
9 and (
10 length(body.links) == 0
11
12 // or 1 link, but link doesn't match the sender's domain
13 or (
14 length(body.links) == 1
15 and sender.email.domain.root_domain not in $free_email_providers
16 and all(body.links,
17 .href_url.domain.root_domain != sender.email.domain.root_domain
18 )
19 )
20 )
21
22 // no attachments
23 and length(attachments) == 0
24
25 // honorific
26 and regex.icontains(sender.display_name,
27 '(?:Mr|Mrs|Ms|Miss|Dr|Prof|Sir|Lady|Rev)\.?[ \t]+'
28 )
29
30 // And an email is found in the body, and a freemail domain is found also
31 and (
32 regex.contains(body.current_thread.text,
33 "[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\.[A-Za-z]{2,}"
34 )
35 and any($free_email_providers, strings.icontains(body.current_thread.text, .))
36 )
37
38 // common scammy phrases
39 and regex.icontains(body.current_thread.text,
40 "(I am|My name is) .* (from|staying in) .+\\.",
41 ".*(years old|cm|kg).*\\.",
42 ".*(photo|pictures|sexy).*\\.",
43 ".*(email|contact me|write to me|reply to me) at .*@.*\\."
44 )
45 and (
46 (
47 profile.by_sender().prevalence in ("new", "outlier")
48 and not profile.by_sender().solicited
49 )
50 or (
51 profile.by_sender().any_messages_malicious_or_spam
52 and not profile.by_sender().any_false_positives
53 )
54 )
55 and not profile.by_sender().any_false_positives
56attack_types:
57 - "BEC/Fraud"
58tactics_and_techniques:
59 - "Free email provider"
60 - "Social engineering"
61detection_methods:
62 - "Content analysis"
63 - "Header analysis"
64id: "0243cdaa-b9c9-5df2-a309-debf06d909a7"