COVID-19 themed fraud with sender and reply-to mismatch

calendar May 3, 2024  ·
Share on: linkedin copy

Detects potential COVID-19 themed BEC/Fraud scams by analyzing text within the email body for mentions of COVID-19 assistance from mismatched senders and other suspicious language.

Sublime rule (View on GitHub)

 1name: "COVID-19 themed fraud with sender and reply-to mismatch"
 2description: |
 3    Detects potential COVID-19 themed BEC/Fraud scams by analyzing text within the email body for mentions of COVID-19 assistance from mismatched senders and other suspicious language.
 4type: "rule"
 5severity: "medium"
 6source: |
 7  type.inbound
 8  
 9  // mismatched sender (From) and Reply-to + freemail
10  and any(headers.reply_to,
11          length(headers.reply_to) > 0
12          and all(headers.reply_to,
13                  .email.domain.root_domain != sender.email.domain.root_domain
14                  and .email.domain.root_domain in $free_email_providers
15          )
16  )
17  
18  // use of honorific
19  and regex.icontains(body.current_thread.text,
20                      '(?:Mr|Mrs|Ms|Miss|Dr|Prof|Sir|Lady|Rev)\.?[ \t]+'
21  )
22  
23  // mention of covid or an interational organization
24  and regex.icontains(body.current_thread.text,
25                      'international (court of justice|monetary fund)',
26                      'united nations',
27                      'western union',
28                      'world bank',
29                      'world health organization',
30                      'interpol',
31                      'treasury',
32                      '\bFEMA\b',
33  )
34  
35  // and mention of covid in subject or body
36  and regex.icontains(body.current_thread.text, 'covid(.0,5}19)?\b')
37  
38  // urgent financial requests
39  and 2 of (
40    any(ml.nlu_classifier(body.current_thread.text).entities, .name == "urgency"),
41    any(ml.nlu_classifier(body.current_thread.text).entities, .name == "request"),
42    any(ml.nlu_classifier(body.current_thread.text).entities, .name == "financial")
43  )
44  
45   // negate highly trusted sender domains unless they fail DMARC authentication
46  and (
47    (
48      sender.email.domain.root_domain in $high_trust_sender_root_domains
49      and not headers.auth_summary.dmarc.pass
50    )
51    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
52  )
53  and (
54    (
55      profile.by_sender().prevalence in ("new", "outlier")
56      and not profile.by_sender().solicited
57    )
58    or (
59      profile.by_sender().any_messages_malicious_or_spam
60      and not profile.by_sender().any_false_positives
61    )
62  )
63  and not profile.by_sender().any_false_positives  
64attack_types:
65  - "BEC/Fraud"
66tactics_and_techniques:
67  - "Free email provider"
68  - "Social engineering"
69detection_methods:
70  - "Content analysis"
71  - "Header analysis"
72  - "Natural Language Understanding"
73  - "Sender analysis"
74id: "a16480ef-07b8-5962-933a-9dbdfc5560d6"
to-top