BEC: Financial fraud from newly registered sender domain

calendar Jun 25, 2026  ·
Share on: linkedin copy

Detects inbound messages from domains registered less than 30 days ago that exhibit business email compromise intent with high-confidence financial or payment topics. The message must also contain explicit banking details such as account and routing numbers, invoice references, or payment urgency language, and must either fail DMARC on a trusted domain or originate from an untrusted domain.

Sublime rule (View on GitHub)

 1name: "BEC: Financial fraud from newly registered sender domain"
 2description: "Detects inbound messages from domains registered less than 30 days ago that exhibit business email compromise intent with high-confidence financial or payment topics. The message must also contain explicit banking details such as account and routing numbers, invoice references, or payment urgency language, and must either fail DMARC on a trusted domain or originate from an untrusted domain."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and network.whois(sender.email.domain).days_old < 30
 8  and any(ml.nlu_classifier(body.current_thread.text).intents, .name == "bec")
 9  and (
10    any(ml.nlu_classifier(body.current_thread.text).topics,
11        .name in ("Financial Communications", "Payment Information")
12        and .confidence == "high"
13    )
14  )
15  and (
16    (
17      regex.icontains(body.current_thread.text,
18                      'account\s*(?:number|num|no\.?)\s*:?\s*\d{5,}'
19      )
20      and regex.icontains(body.current_thread.text,
21                          '(?:wire\s*)?routing\s*(?:number|num|no\.?)\s*:?\s*\d{5,}'
22      )
23    )
24    or regex.icontains(body.current_thread.text,
25                       'invoice\s*(?:#|number|num|no\.?)\s*:?\s*[A-Z0-9-]{3,}',
26                       'per\s+\w+.{0,5}s\s+request'
27    )
28    or strings.icontains(body.current_thread.text,
29                         'due upon receipt',
30                         'confirm receipt of invoice',
31                         'see attached invoice'
32    )
33  )
34  // negate highly trusted sender domains unless they fail DMARC authentication
35  and not (
36    sender.email.domain.root_domain in $high_trust_sender_root_domains
37    and coalesce(headers.auth_summary.dmarc.pass, false)
38  )  
39attack_types:
40  - "BEC/Fraud"
41tactics_and_techniques:
42  - "Social engineering"
43  - "Spoofing"
44detection_methods:
45  - "Natural Language Understanding"
46  - "Whois"
47  - "Content analysis"
48  - "Sender analysis"
49  - "Header analysis"
50id: "4be9b165-975f-5587-b780-9441d1b30782"
to-top