BEC/Fraud: Urgent Language and Suspicious Sending/Infrastructure Patterns

Identifies inbound messages using urgent language patterns and sender behavioral traits common in social manipulation. Combines multiple indicators including urgent subject lines, characteristic message content, short message length, and suspicious sender attributes.

Sublime rule (View on GitHub)

 1name: "BEC/Fraud: Urgent Language and Suspicious Sending/Infrastructure Patterns"
 2description: "Identifies inbound messages using urgent language patterns and sender behavioral traits common in social manipulation. Combines multiple indicators including urgent subject lines, characteristic message content, short message length, and suspicious sender attributes."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  
 8  and 3 of (
 9    // urgent subjects
10    strings.ilike(subject.subject, '*quick question*'),
11    strings.ilike(subject.subject, '*urgent*request*'),
12    strings.ilike(subject.subject, '*are you available*'),
13    strings.ilike(subject.subject, '*need assistance*'),
14    strings.ilike(subject.subject, '*help*needed*'),
15  
16    // BEC body patterns
17    strings.ilike(body.current_thread.text, '*sorry to bother*'),
18    strings.ilike(body.current_thread.text, '*are you busy*'),
19    strings.ilike(body.current_thread.text, '*can you help*'),
20    strings.ilike(body.current_thread.text, '*do you have a moment*'),
21    strings.ilike(body.current_thread.text, '*please respond*asap*'),
22  
23    // brand name
24    regex.icontains(body.current_thread.text, 'a\s?m\s?a\s?z\s?o\s?n'), // Catches "Amaz on", "Amazon", etc.
25    regex.icontains(body.current_thread.text, 'p\s?a\s?y\s?p\s?a\s?l'),
26    regex.icontains(body.current_thread.text, 'a\s?p\s?p\s?l\s?e'),
27  
28    // short body
29    length(body.current_thread.text) < 200,
30    strings.count(body.current_thread.text, ' ') < 30
31  )
32  
33  and 3 of (
34    // suspicious sender
35    sender.email.domain.root_domain in $free_email_providers,
36    network.whois(sender.email.domain).days_old < 30,
37  
38    // suspicious recipient pattern
39    any(recipients.to, strings.ilike(.display_name, 'undisclosed?recipients')),
40    length(recipients.to) == 1, // Single recipient
41  
42    // header checks
43    strings.starts_with(headers.mailer, 'Open-Xchange Mailer'),
44    strings.ilike(headers.x_originating_ip.ip, '*.*.*.0'), // Common in some BEC campaigns
45  )
46  and profile.by_sender_email().prevalence not in ("common")  
47
48attack_types:
49  - "BEC/Fraud"
50  - "Callback Phishing"
51  - "Spam"
52tactics_and_techniques:
53  - "Impersonation: Brand"
54  - "Social engineering"
55  - "Free email provider"
56detection_methods:
57  - "Content analysis"
58  - "Header analysis"
59  - "Sender analysis"
60  - "Whois"
61id: "ba8a79e0-cce3-57e8-bbc7-3b3d9f848761"
to-top