BEC/Fraud: Urgent Language and Suspicious Sending/Infrastructure Patterns
Identifies inbound messages using urgent language patterns and sender behavioral traits common in social manipulation. Combines multiple indicators including urgent subject lines, characteristic message content, short message length, and suspicious sender attributes.
Sublime rule (View on GitHub)
1name: "BEC/Fraud: Urgent Language and Suspicious Sending/Infrastructure Patterns"
2description: "Identifies inbound messages using urgent language patterns and sender behavioral traits common in social manipulation. Combines multiple indicators including urgent subject lines, characteristic message content, short message length, and suspicious sender attributes."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7
8 and 3 of (
9 // urgent subjects
10 strings.ilike(subject.subject, '*quick question*'),
11 strings.ilike(subject.subject, '*urgent*request*'),
12 strings.ilike(subject.subject, '*are you available*'),
13 strings.ilike(subject.subject, '*need assistance*'),
14 strings.ilike(subject.subject, '*help*needed*'),
15 regex.icontains(subject.subject, 'favor\b'),
16 strings.ilike(subject.subject, '*checking in*'),
17 strings.ilike(subject.subject, '*awaiting*response*'),
18 strings.ilike(subject.subject, '*catch*up*'),
19
20
21
22 // BEC body patterns
23 strings.ilike(body.current_thread.text, '*sorry to bother*'),
24 strings.ilike(body.current_thread.text, '*are you busy*'),
25 strings.ilike(body.current_thread.text, '*can you help*'),
26 strings.ilike(body.current_thread.text, '*do you have a moment*'),
27 strings.ilike(body.current_thread.text, '*please respond*asap*'),
28 strings.ilike(subject.subject, '*quick question*'),
29
30
31 // brand name
32 regex.icontains(body.current_thread.text, 'a\s?m\s?a\s?z\s?o\s?n'), // Catches "Amaz on", "Amazon", etc.
33 regex.icontains(body.current_thread.text, 'p\s?a\s?y\s?p\s?a\s?l'),
34 regex.icontains(body.current_thread.text, 'a\s?p\s?p\s?l\s?e'),
35
36 // short body
37 length(body.current_thread.text) < 200,
38 strings.count(body.current_thread.text, ' ') < 30
39 )
40
41 and 3 of (
42 // suspicious sender
43 sender.email.domain.root_domain in $free_email_providers,
44 network.whois(sender.email.domain).days_old < 30,
45
46 // suspicious recipient pattern
47 any(recipients.to, strings.ilike(.display_name, 'undisclosed?recipients')),
48 length(recipients.to) == 1, // Single recipient
49
50 // header checks
51 strings.starts_with(headers.mailer, 'Open-Xchange Mailer'),
52 strings.ilike(headers.x_originating_ip.ip, '*.*.*.0'), // Common in some BEC campaigns
53 // deifferent reply-to address
54 (length(headers.reply_to) > 0 and sender.email.email not in map(headers.reply_to, .email.email)),
55 // sender display name is part of the subject
56 strings.icontains(subject.subject, sender.display_name),
57 )
58 and profile.by_sender_email().prevalence not in ("common")
59
60attack_types:
61 - "BEC/Fraud"
62 - "Callback Phishing"
63 - "Spam"
64tactics_and_techniques:
65 - "Impersonation: Brand"
66 - "Social engineering"
67 - "Free email provider"
68detection_methods:
69 - "Content analysis"
70 - "Header analysis"
71 - "Sender analysis"
72 - "Whois"
73id: "ba8a79e0-cce3-57e8-bbc7-3b3d9f848761"