COVID-19 themed fraud with sender and reply-to mismatch

Detects potential COVID-19 themed BEC/Fraud scams by analyzing text within the email body for mentions of COVID-19 assistance from mismatched senders and other suspicious language.

Sublime rule (View on GitHub)

 1name: "COVID-19 themed fraud with sender and reply-to mismatch"
 2description: |
 3    Detects potential COVID-19 themed BEC/Fraud scams by analyzing text within the email body for mentions of COVID-19 assistance from mismatched senders and other suspicious language.
 4type: "rule"
 5severity: "medium"
 6source: |
 7  type.inbound
 8  
 9  // mismatched sender (From) and Reply-to + freemail
10  and any(headers.reply_to,
11          length(headers.reply_to) > 0
12          and all(headers.reply_to,
13                  .email.domain.root_domain != sender.email.domain.root_domain
14                  and .email.domain.root_domain in $free_email_providers
15          )
16  )
17  
18  // use of honorific
19  and regex.icontains(body.current_thread.text,
20                      '(?:Mr|Mrs|Ms|Miss|Dr|Prof|Sir|Lady|Rev)\.?[ \t]+'
21  )
22  
23  // mention of covid or an interational organization
24  and regex.icontains(body.current_thread.text,
25                      'international (court of justice|monetary fund)',
26                      'united nations',
27                      'western union',
28                      'world bank',
29                      'world health organization',
30                      'interpol',
31                      'treasury',
32                      '\bFEMA\b',
33  )
34  
35  // and mention of covid in subject or body
36  and any([body.current_thread.text, subject.subject],
37          regex.icontains(., 'covid(.0,5}19)?\b')
38  )
39  
40  // urgent financial requests
41  and 2 of (
42    any(ml.nlu_classifier(body.html.display_text).entities, .name == "urgency"),
43    any(ml.nlu_classifier(body.html.display_text).entities, .name == "request"),
44    any(ml.nlu_classifier(body.html.display_text).entities, .name == "financial")
45  )
46  
47  // negate highly trusted sender domains unless they fail DMARC authentication
48  and (
49    (
50      sender.email.domain.root_domain in $high_trust_sender_root_domains
51      and (
52        any(distinct(headers.hops, .authentication_results.dmarc is not null),
53            strings.ilike(.authentication_results.dmarc, "*fail")
54        )
55      )
56    )
57    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
58  )
59  and (
60    (
61      profile.by_sender().prevalence in ("new", "outlier")
62      and not profile.by_sender().solicited
63    )
64    or (
65      profile.by_sender().any_messages_malicious_or_spam
66      and not profile.by_sender().any_false_positives
67    )
68  )
69  and not profile.by_sender().any_false_positives  
70attack_types:
71  - "BEC/Fraud"
72tactics_and_techniques:
73  - "Free email provider"
74  - "Social engineering"
75detection_methods:
76  - "Content analysis"
77  - "Header analysis"
78  - "Natural Language Understanding"
79  - "Sender analysis"
80id: "a16480ef-07b8-5962-933a-9dbdfc5560d6"
to-top