Business Email Compromise (BEC) with request for mobile number

calendar Aug 29, 2024  ·
Share on: linkedin copy

This rule detects unsolicited messages with a small plain text body, that is attempting to solicit a mobile number.

Sublime rule (View on GitHub)

 1name: "Business Email Compromise (BEC) with request for mobile number"
 2description: "This rule detects unsolicited messages with a small plain text body, that is attempting to solicit a mobile number."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and length(body.current_thread.text) < 500
 8  and length(attachments) == 0
 9  
10  and regex.icontains(body.current_thread.text,
11                     '(mobile|contact).{0,10}(phone|number|#|\bno)|whatsapp|\bcell|personalcell'
12  )
13  and (
14    any(ml.nlu_classifier(body.current_thread.text).intents,
15        .name in ("bec", "advance_fee") and .confidence in ("medium", "high")
16    )
17    or (
18      // confidence can be low on very short bodies
19      length(body.current_thread.text) < 550
20      and (
21        any(ml.nlu_classifier(body.current_thread.text).intents, .name == "bec")
22        or any(ml.nlu_classifier(body.current_thread.text).entities,
23               strings.icontains(.text, "kindly")
24        )
25      )
26    )
27  )
28  and (
29    (
30      (
31        length(headers.references) > 0
32        or not any(headers.hops,
33                   any(.fields, strings.ilike(.name, "In-Reply-To"))
34        )
35      )
36      and not (
37        (
38          strings.istarts_with(subject.subject, "RE:")
39          or strings.istarts_with(subject.subject, "RES:")
40          or strings.istarts_with(subject.subject, "R:")
41          or strings.istarts_with(subject.subject, "ODG:")
42          or strings.istarts_with(subject.subject, "答复:")
43          or strings.istarts_with(subject.subject, "AW:")
44          or strings.istarts_with(subject.subject, "TR:")
45          or strings.istarts_with(subject.subject, "FWD:")
46          or regex.imatch(subject.subject, '(\[[^\]]+\]\s?){0,3}(re|fwd?|automat.*)\s?:.*')
47        )
48      )
49    )
50    or length(headers.references) == 0
51  )
52  and (
53    not profile.by_sender().solicited
54    or profile.by_sender().any_messages_malicious_or_spam
55  )
56  and not profile.by_sender().any_false_positives  
57
58attack_types:
59  - "BEC/Fraud"
60tactics_and_techniques:
61  - "Social engineering"
62detection_methods:
63  - "Content analysis"
64  - "Natural Language Understanding"
65  - "Sender analysis"
66id: "514ffd68-a663-5b83-8a25-e380f0a7f1a7"
to-top