COVID-19 themed fraud with sender and reply-to mismatch or compensation award
Detects potential COVID-19 themed BEC/Fraud scams by analyzing text within the email body for mentions of COVID-19 assistance, compensation, or awards from mismatched senders and other suspicious language.
Sublime rule (View on GitHub)
1name: "COVID-19 themed fraud with sender and reply-to mismatch or compensation award"
2description: |
3 Detects potential COVID-19 themed BEC/Fraud scams by analyzing text within the email body for mentions of COVID-19 assistance, compensation, or awards from mismatched senders and other suspicious language.
4type: "rule"
5severity: "medium"
6source: |
7 type.inbound
8
9 // mismatched sender (From) and Reply-to + freemail
10 and any(headers.reply_to,
11 length(headers.reply_to) > 0
12 and all(headers.reply_to,
13 .email.domain.root_domain != sender.email.domain.root_domain
14 and .email.domain.root_domain in $free_email_providers
15 )
16 )
17
18 // use of honorific
19 and regex.icontains(body.current_thread.text,
20 '(?:Mr|Mrs|Ms|Miss|Dr|Prof|Sir|Lady|Rev)\.?[ \t]+',
21 'Dear Sir'
22 )
23
24 // mention of covid or an international organization
25 and regex.icontains(body.current_thread.text,
26 'international (court of justice|monetary fund)',
27 'united nations',
28 'western union',
29 'world bank',
30 'world health organization',
31 'interpol',
32 'treasury',
33 '\bFEMA\b',
34 '\bIMF\b'
35 )
36
37 // and mention of covid in subject or body
38 and (
39 regex.icontains(subject.subject, 'covid(.{0,5}19)?\b')
40 or regex.icontains(body.current_thread.text, 'covid(.{0,5}19)?\b')
41 )
42
43 // Check for compensation or award related language
44 and (
45 2 of (
46 any(ml.nlu_classifier(body.current_thread.text).entities,
47 .name == "urgency"
48 ),
49 any(ml.nlu_classifier(body.current_thread.text).entities,
50 .name == "request"
51 ),
52 any(ml.nlu_classifier(body.current_thread.text).entities,
53 .name == "financial"
54 )
55 )
56 or regex.icontains(subject.subject,
57 'compensation.{0,20}(award|fund)',
58 'covid.{0,20}(compensation|award)',
59 'selected.{0,30}(compensation|award)',
60 'claim your award',
61 'reference no'
62 )
63 or regex.icontains(body.current_thread.text,
64 'compensation.{0,20}(award|fund)',
65 'covid.{0,20}(compensation|award)',
66 'selected.{0,30}(compensation|award)',
67 'claim your award',
68 'reference no\W\s*[^\s]*cov(?:id)?(?:.{0,5}19)?\b'
69 )
70 )
71
72 // negate highly trusted sender domains unless they fail DMARC authentication
73 and (
74 (
75 sender.email.domain.root_domain in $high_trust_sender_root_domains
76 and not headers.auth_summary.dmarc.pass
77 )
78 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
79 )
80 and (
81 (
82 profile.by_sender().prevalence in ("new", "outlier")
83 and not profile.by_sender().solicited
84 )
85 or (
86 profile.by_sender().any_messages_malicious_or_spam
87 and not profile.by_sender().any_messages_benign
88 )
89 )
90 and not profile.by_sender().any_messages_benign
91attack_types:
92 - "BEC/Fraud"
93tactics_and_techniques:
94 - "Free email provider"
95 - "Social engineering"
96detection_methods:
97 - "Content analysis"
98 - "Header analysis"
99 - "Natural Language Understanding"
100 - "Sender analysis"
101id: "a16480ef-07b8-5962-933a-9dbdfc5560d6"