BEC/Fraud: Urgent language and suspicious sending/infrastructure patterns

calendar Jan 12, 2026  ·
Share on: linkedin copy

Identifies inbound messages using urgent language patterns and sender behavioral traits common in social manipulation. Combines multiple indicators including urgent subject lines, characteristic message content, short message length, and suspicious sender attributes.

Sublime rule (View on GitHub)

 1name: "BEC/Fraud: Urgent language and suspicious sending/infrastructure patterns"
 2description: "Identifies inbound messages using urgent language patterns and sender behavioral traits common in social manipulation. Combines multiple indicators including urgent subject lines, characteristic message content, short message length, and suspicious sender attributes."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and 3 of (
 8    // urgent subjects
 9    strings.ilike(subject.subject, '*quick question*'),
10    strings.ilike(subject.subject, '*urgent*request*'),
11    strings.ilike(subject.subject, '*are you available*'),
12    strings.ilike(subject.subject, '*need assistance*'),
13    strings.ilike(subject.subject, '*help*needed*'),
14    regex.icontains(subject.subject, 'favor\b'),
15    strings.ilike(subject.subject, '*checking in*'),
16    strings.ilike(subject.subject, '*awaiting*response*'),
17    strings.ilike(subject.subject, '*catch*up*'),
18  
19    // BEC body patterns
20    strings.ilike(body.current_thread.text, '*sorry to bother*'),
21    strings.ilike(body.current_thread.text, '*are you busy*'),
22    strings.ilike(body.current_thread.text, '*can you help*'),
23    strings.ilike(body.current_thread.text, '*do you have a moment*'),
24    strings.ilike(body.current_thread.text, '*please respond*asap*'),
25    strings.ilike(subject.subject, '*quick question*'),
26  
27    // brand name
28    regex.icontains(body.current_thread.text, 'a\s?m\s?a\s?z\s?o\s?n'), // Catches "Amaz on", "Amazon", etc.
29    regex.icontains(body.current_thread.text, 'p\s?a\s?y\s?p\s?a\s?l'),
30    regex.icontains(body.current_thread.text, 'a\s?p\s?p\s?l\s?e'),
31  
32    // short body
33    length(body.current_thread.text) < 200,
34    strings.count(body.current_thread.text, ' ') < 30
35  )
36  and 3 of (
37    // suspicious sender
38    sender.email.domain.root_domain in $free_email_providers,
39    network.whois(sender.email.domain).days_old < 30,
40  
41    // suspicious recipient pattern
42    any(recipients.to, strings.ilike(.display_name, 'undisclosed?recipients')),
43    length(recipients.to) == 1, // Single recipient
44  
45    // header checks
46    strings.starts_with(headers.mailer, 'Open-Xchange Mailer'),
47    strings.ilike(headers.x_originating_ip.ip, '*.*.*.0'), // Common in some BEC campaigns
48    // deifferent reply-to address
49    (
50      length(headers.reply_to) > 0
51      and sender.email.email not in map(headers.reply_to, .email.email)
52    ),
53    // sender display name is part of the subject
54    strings.icontains(subject.subject, sender.display_name),
55  )
56  and profile.by_sender_email().prevalence not in ("common")  
57attack_types:
58  - "BEC/Fraud"
59  - "Callback Phishing"
60  - "Spam"
61tactics_and_techniques:
62  - "Impersonation: Brand"
63  - "Social engineering"
64  - "Free email provider"
65detection_methods:
66  - "Content analysis"
67  - "Header analysis"
68  - "Sender analysis"
69  - "Whois"
70id: "ba8a79e0-cce3-57e8-bbc7-3b3d9f848761"
to-top