Advance Fee Fraud (AFF) from freemail provider or suspicious TLD

 1name: "Advance Fee Fraud (AFF) from freemail provider or suspicious TLD"
 2description: |
 3  Advance Fee Fraud (AFF) is a type of BEC/Fraud involving upfront fees for promised
 4  future returns, such as lottery scams, inheritance payouts, and investment opportunities.
 5  This rule identifies messages from Freemail domains or suspicious TLDS, including those
 6  with suspicious reply-to addresses. It utilizes Natural Language Understanding to detect
 7  AFF language in their contents.  
 8type: "rule"
 9severity: "medium"
10source: |
11  type.inbound
12  and (
13    sender.email.domain.domain in $free_email_providers
14    or (
15      length(headers.reply_to) > 0
16      and all(headers.reply_to,
17              (
18                .email.domain.root_domain in $free_email_providers
19                or .email.domain.tld in $suspicious_tlds
20              )
21              and .email.email != sender.email.email
22      )
23    )
24    or sender.email.domain.tld in $suspicious_tlds
25  )
26  and (
27    any(ml.nlu_classifier(body.current_thread.text).tags,
28        .name == "advance_fee" and .confidence in ("medium", "high")
29    )
30    or (
31      length(body.current_thread.text) < 200
32      and regex.icontains(body.current_thread.text,
33                          '(donation|inheritence|\$\d,\d{3}\,\d{3}|lottery)'
34      )
35    )
36  )
37  and (
38      not profile.by_sender().solicited
39      or profile.by_sender().any_messages_malicious_or_spam
40    )
41  
42    and not profile.by_sender().any_false_positives  
43attack_types:
44  - "BEC/Fraud"
45tactics_and_techniques:
46  - "Social engineering"
47detection_methods:
48  - "Content analysis"
49  - "Header analysis"
50  - "Natural Language Understanding"
51  - "Sender analysis"
52id: "6a5af373-a97b-5013-aeec-42ac8b4b8ba1"