Advance Fee Fraud (AFF) from freemail provider or suspicious TLD

Advance Fee Fraud (AFF) is a type of BEC/Fraud involving upfront fees for promised future returns, such as lottery scams, inheritance payouts, and investment opportunities. This rule identifies messages from Freemail domains or suspicious TLDS, including those with suspicious reply-to addresses. It utilizes Natural Language Understanding to detect AFF language in their contents.

Sublime rule (View on GitHub)

 1name: "Advance Fee Fraud (AFF) from freemail provider or suspicious TLD"
 2description: |
 3  Advance Fee Fraud (AFF) is a type of BEC/Fraud involving upfront fees for promised
 4  future returns, such as lottery scams, inheritance payouts, and investment opportunities.
 5  This rule identifies messages from Freemail domains or suspicious TLDS, including those
 6  with suspicious reply-to addresses. It utilizes Natural Language Understanding to detect
 7  AFF language in their contents.  
 8type: "rule"
 9severity: "medium"
10source: |
11  type.inbound
12  and (
13    sender.email.domain.domain in $free_email_providers
14    or (
15      length(headers.reply_to) > 0
16      and all(headers.reply_to,
17              (
18                .email.domain.root_domain in $free_email_providers
19                or .email.domain.tld in $suspicious_tlds
20                or (
21                  network.whois(.email.domain).days_old < 365
22                  and length(coalesce(body.html.raw, "")) == 0
23                )
24              )
25              and .email.email != sender.email.email
26      )
27    )
28    or sender.email.domain.tld in $suspicious_tlds
29    or any(["jp", "jo"], strings.iends_with(sender.email.domain.tld, .))
30    or (
31      length(recipients.to) == 0
32      and any(headers.reply_to,
33              .email.domain.root_domain != sender.email.domain.root_domain
34      )
35    )
36  )
37  and (
38    any(ml.nlu_classifier(body.current_thread.text).intents,
39        .name == "advance_fee" and .confidence in ("medium", "high")
40    )
41    or (
42      length(body.current_thread.text) < 200
43      and regex.icontains(body.current_thread.text,
44                          '(?:donation|inheritence|\$\d,\d{3}\,\d{3}|lottery)'
45      )
46      and not regex.icontains(body.current_thread.text,
47                              '(?:closed.{0,50})?\$\d,\d{3}\,\d{3}.{0,100}(?:homes|realty|sale)?'
48      )
49      and not any(body.links,
50                  regex.icontains(.href_url.url,
51                                  '(?:donation|inheritence|\$\d,\d{3}\,\d{3}|lottery)'
52                  )
53      )
54      and (
55        (
56          (length(headers.references) > 0 or headers.in_reply_to is null)
57          and not (
58            (
59              strings.istarts_with(subject.subject, "RE:")
60              // out of office auto-reply
61              or strings.istarts_with(subject.subject, "Automatic reply:")
62              or strings.istarts_with(subject.subject, "R:")
63              or strings.istarts_with(subject.subject, "ODG:")
64              or strings.istarts_with(subject.subject, "答复:")
65              or strings.istarts_with(subject.subject, "AW:")
66              or strings.istarts_with(subject.subject, "TR:")
67              or strings.istarts_with(subject.subject, "FWD:")
68              or regex.icontains(subject.subject,
69                                 '^(\[[^\]]+\]\s?){0,3}(re|fwd?)\s?:'
70              )
71            )
72          )
73        )
74        or any(headers.reply_to, .email.email != sender.email.email)
75      )
76    )
77  )
78  and (
79    not profile.by_sender().solicited
80    or profile.by_sender().any_messages_malicious_or_spam
81  )
82  and not profile.by_sender().any_messages_benign  
83attack_types:
84  - "BEC/Fraud"
85tactics_and_techniques:
86  - "Social engineering"
87detection_methods:
88  - "Content analysis"
89  - "Header analysis"
90  - "Natural Language Understanding"
91  - "Sender analysis"
92id: "6a5af373-a97b-5013-aeec-42ac8b4b8ba1"
to-top