Advance Fee Fraud (AFF) from freemail provider or suspicious TLD

calendar Apr 11, 2025  ·
Share on: linkedin copy

Advance Fee Fraud (AFF) is a type of BEC/Fraud involving upfront fees for promised future returns, such as lottery scams, inheritance payouts, and investment opportunities. This rule identifies messages from Freemail domains or suspicious TLDS, including those with suspicious reply-to addresses. It utilizes Natural Language Understanding to detect AFF language in their contents.

Sublime rule (View on GitHub)

 1name: "Advance Fee Fraud (AFF) from freemail provider or suspicious TLD"
 2description: |
 3  Advance Fee Fraud (AFF) is a type of BEC/Fraud involving upfront fees for promised
 4  future returns, such as lottery scams, inheritance payouts, and investment opportunities.
 5  This rule identifies messages from Freemail domains or suspicious TLDS, including those
 6  with suspicious reply-to addresses. It utilizes Natural Language Understanding to detect
 7  AFF language in their contents.  
 8type: "rule"
 9severity: "medium"
10source: |
11  type.inbound
12  and (
13    sender.email.domain.domain in $free_email_providers
14    or (
15      length(headers.reply_to) > 0
16      and all(headers.reply_to,
17              (
18                .email.domain.root_domain in $free_email_providers
19                or .email.domain.tld in $suspicious_tlds
20              )
21              and .email.email != sender.email.email
22      )
23    )
24    or sender.email.domain.tld in $suspicious_tlds
25  )
26  and (
27    any(ml.nlu_classifier(body.current_thread.text).intents,
28        .name == "advance_fee" and .confidence in ("medium", "high")
29    )
30    or (
31      length(body.current_thread.text) < 200
32      and regex.icontains(body.current_thread.text,
33                          '(donation|inheritence|\$\d,\d{3}\,\d{3}|lottery)'
34      )
35      and not regex.icontains(body.current_thread.text,
36                              '(closed.{0,50})?\$\d,\d{3}\,\d{3}.{0,100}(homes|realty|sale)?'
37      )
38      and not any(body.links,
39                  regex.icontains(.href_url.url,
40                                  '(donation|inheritence|\$\d,\d{3}\,\d{3}|lottery)'
41                  )
42      )
43      and (
44        (
45          (
46            length(headers.references) > 0
47            or not any(headers.hops,
48                       any(.fields, strings.ilike(.name, "In-Reply-To"))
49            )
50          )
51          and not (
52            (
53              strings.istarts_with(subject.subject, "RE:")
54              // out of office auto-reply
55              or strings.istarts_with(subject.subject, "Automatic reply:")
56              or strings.istarts_with(subject.subject, "R:")
57              or strings.istarts_with(subject.subject, "ODG:")
58              or strings.istarts_with(subject.subject, "答复:")
59              or strings.istarts_with(subject.subject, "AW:")
60              or strings.istarts_with(subject.subject, "TR:")
61              or strings.istarts_with(subject.subject, "FWD:")
62              or regex.icontains(subject.subject,
63                                 '^(\[[^\]]+\]\s?){0,3}(re|fwd?)\s?:'
64              )
65            )
66          )
67        )
68        or any(headers.reply_to, .email.email != sender.email.email)
69      )
70    )
71  )
72  and (
73    not profile.by_sender().solicited
74    or profile.by_sender().any_messages_malicious_or_spam
75  )
76  and not profile.by_sender().any_false_positives  
77attack_types:
78  - "BEC/Fraud"
79tactics_and_techniques:
80  - "Social engineering"
81detection_methods:
82  - "Content analysis"
83  - "Header analysis"
84  - "Natural Language Understanding"
85  - "Sender analysis"
86id: "6a5af373-a97b-5013-aeec-42ac8b4b8ba1"
to-top