Advance Fee Fraud (AFF) from freemail provider or suspicious TLD

calendar Apr 14, 2026  ·
Share on: linkedin copy

Advance Fee Fraud (AFF) is a type of BEC/Fraud involving upfront fees for promised future returns, such as lottery scams, inheritance payouts, and investment opportunities. This rule identifies messages from Freemail domains or suspicious TLDS, including those with suspicious reply-to addresses. It utilizes Natural Language Understanding to detect AFF language in their contents.

Sublime rule (View on GitHub)

 1name: "Advance Fee Fraud (AFF) from freemail provider or suspicious TLD"
 2description: |
 3  Advance Fee Fraud (AFF) is a type of BEC/Fraud involving upfront fees for promised
 4  future returns, such as lottery scams, inheritance payouts, and investment opportunities.
 5  This rule identifies messages from Freemail domains or suspicious TLDS, including those
 6  with suspicious reply-to addresses. It utilizes Natural Language Understanding to detect
 7  AFF language in their contents.  
 8type: "rule"
 9severity: "medium"
10source: |
11  type.inbound
12  and (
13    sender.email.domain.domain in $free_email_providers
14    or (
15      length(headers.reply_to) > 0
16      and all(headers.reply_to,
17              (
18                .email.domain.root_domain in $free_email_providers
19                or .email.domain.tld in $suspicious_tlds
20                or (
21                  network.whois(.email.domain).days_old < 365
22                  and length(coalesce(body.html.raw, "")) == 0
23                )
24              )
25              and .email.email != sender.email.email
26      )
27    )
28    or sender.email.domain.tld in $suspicious_tlds
29    or strings.iends_with(sender.email.domain.tld, ".jp")
30  )
31  and (
32    any(ml.nlu_classifier(body.current_thread.text).intents,
33        .name == "advance_fee" and .confidence in ("medium", "high")
34    )
35    or (
36      length(body.current_thread.text) < 200
37      and regex.icontains(body.current_thread.text,
38                          '(?:donation|inheritence|\$\d,\d{3}\,\d{3}|lottery)'
39      )
40      and not regex.icontains(body.current_thread.text,
41                              '(?:closed.{0,50})?\$\d,\d{3}\,\d{3}.{0,100}(?:homes|realty|sale)?'
42      )
43      and not any(body.links,
44                  regex.icontains(.href_url.url,
45                                  '(?:donation|inheritence|\$\d,\d{3}\,\d{3}|lottery)'
46                  )
47      )
48      and (
49        (
50          (
51            length(headers.references) > 0
52            or not any(headers.hops,
53                       any(.fields, strings.ilike(.name, "In-Reply-To"))
54            )
55          )
56          and not (
57            (
58              strings.istarts_with(subject.subject, "RE:")
59              // out of office auto-reply
60              or strings.istarts_with(subject.subject, "Automatic reply:")
61              or strings.istarts_with(subject.subject, "R:")
62              or strings.istarts_with(subject.subject, "ODG:")
63              or strings.istarts_with(subject.subject, "答复:")
64              or strings.istarts_with(subject.subject, "AW:")
65              or strings.istarts_with(subject.subject, "TR:")
66              or strings.istarts_with(subject.subject, "FWD:")
67              or regex.icontains(subject.subject,
68                                 '^(\[[^\]]+\]\s?){0,3}(re|fwd?)\s?:'
69              )
70            )
71          )
72        )
73        or any(headers.reply_to, .email.email != sender.email.email)
74      )
75    )
76  )
77  and (
78    not profile.by_sender().solicited
79    or profile.by_sender().any_messages_malicious_or_spam
80  )
81  and not profile.by_sender().any_messages_benign  
82attack_types:
83  - "BEC/Fraud"
84tactics_and_techniques:
85  - "Social engineering"
86detection_methods:
87  - "Content analysis"
88  - "Header analysis"
89  - "Natural Language Understanding"
90  - "Sender analysis"
91id: "6a5af373-a97b-5013-aeec-42ac8b4b8ba1"
to-top