Business Email Compromise (BEC) with request for mobile number

 1name: "Business Email Compromise (BEC) with request for mobile number"
 2description: "This rule detects unsolicited messages with a small plain text body, that is attempting to solicit a mobile number."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and length(body.current_thread.text) < 500
 8  and length(attachments) == 0
 9  and regex.contains(body.current_thread.text,
10                     "(email|send|shoot|give|provide|attach|confirm|) (me|your)"
11  )
12  and regex.contains(body.current_thread.text,
13                     "(cell(/s?phone)?|mobile.{0,10}(phone|number|#|no)|whatsapp)"
14  )
15  and (
16    any(ml.nlu_classifier(body.current_thread.text).intents,
17        .name == "bec" and .confidence in ("medium", "high")
18    )
19    or (
20      // confidence can be low on very short bodies
21      length(body.current_thread.text) < 150
22      and any(ml.nlu_classifier(body.current_thread.text).intents, .name == "bec")
23    )
24  )
25  and (
26    not profile.by_sender().solicited
27    or profile.by_sender().any_messages_malicious_or_spam
28  )
29  and not profile.by_sender().any_false_positives  
30
31attack_types:
32  - "BEC/Fraud"
33tactics_and_techniques:
34  - "Social engineering"
35detection_methods:
36  - "Content analysis"
37  - "Natural Language Understanding"
38  - "Sender analysis"
39id: "514ffd68-a663-5b83-8a25-e380f0a7f1a7"