Business Email Compromise (BEC) with request for mobile number

calendar Jan 12, 2026  ·
Share on: linkedin copy

This rule detects unsolicited messages with a small plain text body, that is attempting to solicit a mobile number.

Sublime rule (View on GitHub)

 1name: "Business Email Compromise (BEC) with request for mobile number"
 2description: "This rule detects unsolicited messages with a small plain text body, that is attempting to solicit a mobile number."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and length(body.current_thread.text) < 500
 8  and length(attachments) == 0
 9  and regex.icontains(body.current_thread.text,
10                      '(mobile|contact|current).{0,10}(phone|number|#|\bno)|whatsapp|\bcell|personalcell'
11  )
12  and (
13    any(ml.nlu_classifier(body.current_thread.text).intents,
14        .name in ("bec", "advance_fee") and .confidence in ("medium", "high")
15    )
16    or (
17      // confidence can be low on very short bodies
18      length(body.current_thread.text) < 550
19      and (
20        any(ml.nlu_classifier(body.current_thread.text).intents, .name == "bec")
21        or any(ml.nlu_classifier(sender.display_name).intents, .name == "bec")
22        or any(ml.nlu_classifier(body.current_thread.text).entities,
23               strings.icontains(.text, "kindly")
24        )
25      )
26    )
27  )
28  and (
29    (
30      (
31        length(headers.references) > 0
32        or not any(headers.hops,
33                   any(.fields, strings.ilike(.name, "In-Reply-To"))
34        )
35      )
36      and not (
37        (
38          strings.istarts_with(subject.subject, "RE:")
39          or strings.istarts_with(subject.subject, "RES:")
40          or strings.istarts_with(subject.subject, "R:")
41          or strings.istarts_with(subject.subject, "ODG:")
42          or strings.istarts_with(subject.subject, "答复:")
43          or strings.istarts_with(subject.subject, "AW:")
44          or strings.istarts_with(subject.subject, "TR:")
45          or strings.istarts_with(subject.subject, "FWD:")
46          or regex.imatch(subject.subject,
47                          '(\[[^\]]+\]\s?){0,3}(re|fwd?|automat.*)\s?:.*'
48          )
49        )
50      )
51    )
52    or length(headers.references) == 0
53  )
54  and (
55    not profile.by_sender().solicited
56    or profile.by_sender().any_messages_malicious_or_spam
57  )
58  and not profile.by_sender().any_messages_benign  
59attack_types:
60  - "BEC/Fraud"
61tactics_and_techniques:
62  - "Social engineering"
63detection_methods:
64  - "Content analysis"
65  - "Natural Language Understanding"
66  - "Sender analysis"
67id: "514ffd68-a663-5b83-8a25-e380f0a7f1a7"
to-top