Advance Fee Fraud (AFF) from freemail provider or suspicious TLD
Advance Fee Fraud (AFF) is a type of BEC/Fraud involving upfront fees for promised future returns, such as lottery scams, inheritance payouts, and investment opportunities. This rule identifies messages from Freemail domains or suspicious TLDS, including those with suspicious reply-to addresses. It utilizes Natural Language Understanding to detect AFF language in their contents.
Sublime rule (View on GitHub)
1name: "Advance Fee Fraud (AFF) from freemail provider or suspicious TLD"
2description: |
3 Advance Fee Fraud (AFF) is a type of BEC/Fraud involving upfront fees for promised
4 future returns, such as lottery scams, inheritance payouts, and investment opportunities.
5 This rule identifies messages from Freemail domains or suspicious TLDS, including those
6 with suspicious reply-to addresses. It utilizes Natural Language Understanding to detect
7 AFF language in their contents.
8type: "rule"
9severity: "medium"
10source: |
11 type.inbound
12 and (
13 sender.email.domain.domain in $free_email_providers
14 or (
15 length(headers.reply_to) > 0
16 and all(headers.reply_to,
17 (
18 .email.domain.root_domain in $free_email_providers
19 or .email.domain.tld in $suspicious_tlds
20 )
21 and .email.email != sender.email.email
22 )
23 )
24 or sender.email.domain.tld in $suspicious_tlds
25 )
26 and (
27 any(ml.nlu_classifier(body.current_thread.text).tags,
28 .name == "advance_fee" and .confidence in ("medium", "high")
29 )
30 or (
31 length(body.current_thread.text) < 200
32 and regex.icontains(body.current_thread.text,
33 '(donation|inheritence|\$\d,\d{3}\,\d{3}|lottery)'
34 )
35 and (
36 (
37 (
38 length(headers.references) > 0
39 or not any(headers.hops,
40 any(.fields, strings.ilike(.name, "In-Reply-To"))
41 )
42 )
43 and not (
44 (
45 strings.istarts_with(subject.subject, "RE:")
46 // out of office auto-reply
47 or strings.istarts_with(subject.subject, "Automatic reply:")
48 or strings.istarts_with(subject.subject, "R:")
49 or strings.istarts_with(subject.subject, "ODG:")
50 or strings.istarts_with(subject.subject, "答复:")
51 or strings.istarts_with(subject.subject, "AW:")
52 or strings.istarts_with(subject.subject, "TR:")
53 or strings.istarts_with(subject.subject, "FWD:")
54 or regex.icontains(subject.subject,
55 '^(\[[^\]]+\]\s?){0,3}(re|fwd?)\s?:'
56 )
57 )
58 )
59 )
60 or any(headers.reply_to, .email.email != sender.email.email)
61 )
62 )
63 )
64 and (
65 not profile.by_sender().solicited
66 or profile.by_sender().any_messages_malicious_or_spam
67 )
68 and not profile.by_sender().any_false_positives
69attack_types:
70 - "BEC/Fraud"
71tactics_and_techniques:
72 - "Social engineering"
73detection_methods:
74 - "Content analysis"
75 - "Header analysis"
76 - "Natural Language Understanding"
77 - "Sender analysis"
78id: "6a5af373-a97b-5013-aeec-42ac8b4b8ba1"