Body: Advance Fee Fraud (AFF) from Freemail providers or Suspicious TLDs
Advance Fee Fraud (AFF) is a type of BEC/Fraud involving upfront fees for promised future returns, such as lottery scams, inheritance payouts, and investment opportunities. This rule identifies messages from Freemail domains or suspicious TLDS, including those with suspicious reply-to addresses. It utilizes Natural Language Understanding to detect AFF language in their contents.
Sublime rule (View on GitHub)
1name: "Body: Advance Fee Fraud (AFF) from Freemail providers or Suspicious TLDs"
2description: |
3 Advance Fee Fraud (AFF) is a type of BEC/Fraud involving upfront fees for promised
4 future returns, such as lottery scams, inheritance payouts, and investment opportunities.
5 This rule identifies messages from Freemail domains or suspicious TLDS, including those
6 with suspicious reply-to addresses. It utilizes Natural Language Understanding to detect
7 AFF language in their contents.
8type: "rule"
9severity: "medium"
10source: |
11 type.inbound
12 and (
13 sender.email.domain.domain in $free_email_providers
14 or (
15 length(headers.reply_to) > 0
16 and all(headers.reply_to,
17 (
18 .email.domain.root_domain in $free_email_providers
19 or .email.domain.tld in $suspicious_tlds
20 )
21 and .email.email != sender.email.email
22 )
23 )
24 or sender.email.domain.tld in $suspicious_tlds
25 )
26 and any(ml.nlu_classifier(body.current_thread.text).tags,
27 .name == "advance_fee" and .confidence in ("medium", "high")
28 )
29 and (
30 profile.by_sender().prevalence in ("new", "outlier")
31 or (
32 profile.by_sender().any_messages_malicious_or_spam
33 and not profile.by_sender().any_false_positives
34 )
35 )
36
37attack_types:
38 - "BEC/Fraud"
39tactics_and_techniques:
40 - "Social engineering"
41detection_methods:
42 - "Content analysis"
43 - "Header analysis"
44 - "Natural Language Understanding"
45 - "Sender analysis"
46id: "6a5af373-a97b-5013-aeec-42ac8b4b8ba1"