COVID-19 themed fraud with sender and reply-to mismatch or compensation award

Detects potential COVID-19 themed BEC/Fraud scams by analyzing text within the email body for mentions of COVID-19 assistance, compensation, or awards from mismatched senders and other suspicious language.

Sublime rule (View on GitHub)

  1name: "COVID-19 themed fraud with sender and reply-to mismatch or compensation award"
  2description: |
  3    Detects potential COVID-19 themed BEC/Fraud scams by analyzing text within the email body for mentions of COVID-19 assistance, compensation, or awards from mismatched senders and other suspicious language.
  4type: "rule"
  5severity: "medium"
  6source: |
  7  type.inbound
  8  
  9  // mismatched sender (From) and Reply-to + freemail
 10  and any(headers.reply_to,
 11          length(headers.reply_to) > 0
 12          and all(headers.reply_to,
 13                  .email.domain.root_domain != sender.email.domain.root_domain
 14                  and .email.domain.root_domain in $free_email_providers
 15          )
 16  )
 17  
 18  // use of honorific
 19  and regex.icontains(body.current_thread.text,
 20                      '(?:Mr|Mrs|Ms|Miss|Dr|Prof|Sir|Lady|Rev)\.?[ \t]+',
 21                      'Dear Sir'
 22  )
 23  
 24  // mention of covid or an international organization
 25  and regex.icontains(body.current_thread.text,
 26                      'international (court of justice|monetary fund)',
 27                      'united nations',
 28                      'western union',
 29                      'world bank',
 30                      'world health organization',
 31                      'interpol',
 32                      'treasury',
 33                      '\bFEMA\b',
 34                      '\bIMF\b'
 35  )
 36  
 37  // and mention of covid in subject or body
 38  and (
 39    regex.icontains(subject.subject, 'covid(.{0,5}19)?\b')
 40    or regex.icontains(body.current_thread.text, 'covid(.{0,5}19)?\b')
 41  )
 42  
 43  // Check for compensation or award related language
 44  and (
 45    2 of (
 46      any(ml.nlu_classifier(body.current_thread.text).entities,
 47          .name == "urgency"
 48      ),
 49      any(ml.nlu_classifier(body.current_thread.text).entities,
 50          .name == "request"
 51      ),
 52      any(ml.nlu_classifier(body.current_thread.text).entities,
 53          .name == "financial"
 54      )
 55    )
 56    or regex.icontains(subject.subject,
 57                       'compensation.{0,20}(award|fund)',
 58                       'covid.{0,20}(compensation|award)',
 59                       'selected.{0,30}(compensation|award)',
 60                       'claim your award',
 61                       'reference no'
 62    )
 63    or regex.icontains(body.current_thread.text,
 64                       'compensation.{0,20}(award|fund)',
 65                       'covid.{0,20}(compensation|award)',
 66                       'selected.{0,30}(compensation|award)',
 67                       'claim your award',
 68                       'reference no\W\s*[^\s]*cov(?:id)?(?:.{0,5}19)?\b'
 69    )
 70  )
 71  
 72  // negate highly trusted sender domains unless they fail DMARC authentication
 73  and (
 74    (
 75      sender.email.domain.root_domain in $high_trust_sender_root_domains
 76      and not headers.auth_summary.dmarc.pass
 77    )
 78    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
 79  )
 80  and (
 81    (
 82      profile.by_sender().prevalence in ("new", "outlier")
 83      and not profile.by_sender().solicited
 84    )
 85    or (
 86      profile.by_sender().any_messages_malicious_or_spam
 87      and not profile.by_sender().any_messages_benign
 88    )
 89  )
 90  and not profile.by_sender().any_messages_benign  
 91attack_types:
 92  - "BEC/Fraud"
 93tactics_and_techniques:
 94  - "Free email provider"
 95  - "Social engineering"
 96detection_methods:
 97  - "Content analysis"
 98  - "Header analysis"
 99  - "Natural Language Understanding"
100  - "Sender analysis"
101id: "a16480ef-07b8-5962-933a-9dbdfc5560d6"
to-top