COVID-19 themed fraud with sender and reply-to mismatch or compensation award

calendar Apr 27, 2026  ·
Share on: linkedin copy

Detects potential COVID-19 themed BEC/Fraud scams by analyzing text within the email body for mentions of COVID-19 assistance, compensation, or awards from mismatched senders and other suspicious language.

Sublime rule (View on GitHub)

 1name: "COVID-19 themed fraud with sender and reply-to mismatch or compensation award"
 2description: |
 3    Detects potential COVID-19 themed BEC/Fraud scams by analyzing text within the email body for mentions of COVID-19 assistance, compensation, or awards from mismatched senders and other suspicious language.
 4type: "rule"
 5severity: "medium"
 6source: |
 7  type.inbound
 8  
 9  // mismatched sender (From) and Reply-to + freemail
10  and any(headers.reply_to,
11          length(headers.reply_to) > 0
12          and all(headers.reply_to,
13                  .email.domain.root_domain != sender.email.domain.root_domain
14                  and .email.domain.root_domain in $free_email_providers
15          )
16  )
17  
18  // use of honorific
19  and regex.icontains(body.current_thread.text,
20                      '(?:Mr|Mrs|Ms|Miss|Dr|Prof|Sir|Lady|Rev)\.?[ \t]+',
21                      'Dear Sir'
22  )
23  
24  // mention of covid or an international organization
25  and regex.icontains(body.current_thread.text,
26                      'international (court of justice|monetary fund)',
27                      'united nations',
28                      'western union',
29                      'world bank',
30                      'world health organization',
31                      'interpol',
32                      'treasury',
33                      '\bFEMA\b',
34                      '\bIMF\b'
35  )
36  
37  // and mention of covid in subject or body
38  and (
39    regex.icontains(subject.subject, 'covid(.{0,5}19)?\b')
40    or regex.icontains(body.current_thread.text, 'covid(.{0,5}19)?\b')
41  )
42  
43  // Check for compensation or award related language
44  and (
45    2 of (
46      any(ml.nlu_classifier(body.current_thread.text).entities,
47          .name == "urgency"
48      ),
49      any(ml.nlu_classifier(body.current_thread.text).entities,
50          .name == "request"
51      ),
52      any(ml.nlu_classifier(body.current_thread.text).entities,
53          .name == "financial"
54      )
55    )
56    or regex.icontains(subject.subject,
57                       'compensation.{0,20}(award|fund)',
58                       'covid.{0,20}(compensation|award)',
59                       'selected.{0,30}(compensation|award)',
60                       'claim your award',
61                       'reference no'
62    )
63    or regex.icontains(body.current_thread.text,
64                       'compensation.{0,20}(award|fund)',
65                       'covid.{0,20}(compensation|award)',
66                       'selected.{0,30}(compensation|award)',
67                       'claim your award',
68                       'reference no\W\s*[^\s]*cov(?:id)?(?:.{0,5}19)?\b'
69    )
70  )
71  
72  // negate highly trusted sender domains unless they fail DMARC authentication
73  and (
74    (
75      sender.email.domain.root_domain in $high_trust_sender_root_domains
76      and not headers.auth_summary.dmarc.pass
77    )
78    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
79  )  
80attack_types:
81  - "BEC/Fraud"
82tactics_and_techniques:
83  - "Free email provider"
84  - "Social engineering"
85detection_methods:
86  - "Content analysis"
87  - "Header analysis"
88  - "Natural Language Understanding"
89  - "Sender analysis"
90id: "a16480ef-07b8-5962-933a-9dbdfc5560d6"
to-top