COVID-19 themed fraud with sender and reply-to mismatch or compensation award

calendar Mar 4, 2025  ·
Share on: linkedin copy

Detects potential COVID-19 themed BEC/Fraud scams by analyzing text within the email body for mentions of COVID-19 assistance, compensation, or awards from mismatched senders and other suspicious language.

Sublime rule (View on GitHub)

 1name: "COVID-19 themed fraud with sender and reply-to mismatch or compensation award"
 2description: |
 3    Detects potential COVID-19 themed BEC/Fraud scams by analyzing text within the email body for mentions of COVID-19 assistance, compensation, or awards from mismatched senders and other suspicious language.
 4type: "rule"
 5severity: "medium"
 6source: |
 7  type.inbound
 8  
 9  // mismatched sender (From) and Reply-to + freemail
10  and any(headers.reply_to,
11          length(headers.reply_to) > 0
12          and all(headers.reply_to,
13                  .email.domain.root_domain != sender.email.domain.root_domain
14                  and .email.domain.root_domain in $free_email_providers
15          )
16  )
17  
18  // use of honorific
19  and regex.icontains(body.current_thread.text,
20                      '(?:Mr|Mrs|Ms|Miss|Dr|Prof|Sir|Lady|Rev)\.?[ \t]+',
21                      'Dear Sir'
22  )
23  
24  // mention of covid or an international organization
25  and regex.icontains(body.current_thread.text,
26                      'international (court of justice|monetary fund)',
27                      'united nations',
28                      'western union',
29                      'world bank',
30                      'world health organization',
31                      'interpol',
32                      'treasury',
33                      '\bFEMA\b',
34                      '\bIMF\b'
35  )
36  
37  // and mention of covid in subject or body
38  and (
39    regex.icontains(subject.subject, 'covid(.{0,5}19)?\b')
40    or regex.icontains(body.current_thread.text, 'covid(.{0,5}19)?\b')
41  )
42  
43  // Check for compensation or award related language
44  and (
45    2 of (
46      any(ml.nlu_classifier(body.current_thread.text).entities, .name == "urgency"),
47      any(ml.nlu_classifier(body.current_thread.text).entities, .name == "request"),
48      any(ml.nlu_classifier(body.current_thread.text).entities, .name == "financial")
49    )
50    or regex.icontains(subject.subject, 
51                      'compensation.{0,20}(award|fund)',
52                      'covid.{0,20}(compensation|award)',
53                      'selected.{0,30}(compensation|award)',
54                      'claim your award',
55                      'reference no')
56    or regex.icontains(body.current_thread.text, 
57                      'compensation.{0,20}(award|fund)',
58                      'covid.{0,20}(compensation|award)',
59                      'selected.{0,30}(compensation|award)',
60                      'claim your award',
61                      'reference no\W\s*[^\s]*cov(?:id)?(?:.{0,5}19)?\b')
62  )
63  
64   // negate highly trusted sender domains unless they fail DMARC authentication
65  and (
66    (
67      sender.email.domain.root_domain in $high_trust_sender_root_domains
68      and not headers.auth_summary.dmarc.pass
69    )
70    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
71  )
72  and (
73    (
74      profile.by_sender().prevalence in ("new", "outlier")
75      and not profile.by_sender().solicited
76    )
77    or (
78      profile.by_sender().any_messages_malicious_or_spam
79      and not profile.by_sender().any_false_positives
80    )
81  )
82  and not profile.by_sender().any_false_positives  
83attack_types:
84  - "BEC/Fraud"
85tactics_and_techniques:
86  - "Free email provider"
87  - "Social engineering"
88detection_methods:
89  - "Content analysis"
90  - "Header analysis"
91  - "Natural Language Understanding"
92  - "Sender analysis"
93id: "a16480ef-07b8-5962-933a-9dbdfc5560d6"
to-top