BEC/Fraud: Unsolicited business acquisition offer

calendar Jun 24, 2026  ·
Share on: linkedin copy

Detects inbound messages with subjects referencing an offer to purchase, combined with body content mentioning private equity, acquiring companies, or discussing an opportunity. These messages are characteristic of fraudulent or unsolicited business acquisition solicitations designed to engage targets in fraudulent financial dealings.

Sublime rule (View on GitHub)

 1name: "BEC/Fraud: Unsolicited business acquisition offer"
 2description: "Detects inbound messages with subjects referencing an offer to purchase, combined with body content mentioning private equity, acquiring companies, or discussing an opportunity. These messages are characteristic of fraudulent or unsolicited business acquisition solicitations designed to engage targets in fraudulent financial dealings."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and strings.icontains(subject.base,
 8                        "Offer to Purchase",
 9                        "Transaction Opportunity"
10  )
11  and (
12    strings.icontains(body.plain.raw,
13                      "private equity",
14                      "acquiring companies",
15                      "discuss the opportunity"
16    )
17    or (
18      any(ml.nlu_classifier(body.current_thread.text).entities,
19          .name == "financial" and strings.icontains(.text, "purchase")
20      )
21      and any(ml.nlu_classifier(body.current_thread.text).topics,
22              .name == "B2B Cold Outreach" and .confidence == "high"
23      )
24    )
25  )  
26attack_types:
27  - "BEC/Fraud"
28tactics_and_techniques:
29  - "Social engineering"
30detection_methods:
31  - "Content analysis"
32id: "b79e655b-5b3f-5857-9849-39de16937a51"
to-top