Business Email Compromise (BEC) with request for mobile number
This rule detects unsolicited messages with a small plain text body, that is attempting to solicit a mobile number.
Sublime rule (View on GitHub)
1name: "Business Email Compromise (BEC) with request for mobile number"
2description: "This rule detects unsolicited messages with a small plain text body, that is attempting to solicit a mobile number."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and length(body.current_thread.text) < 500
8 and length(attachments) == 0
9 and regex.contains(body.current_thread.text,
10 "(email|send|shoot|give|provide|attach|confirm|) (me|your)"
11 )
12 and regex.contains(body.current_thread.text,
13 "(cell(/s?phone)?|mobile.{0,10}(phone|number|#|no)|whatsapp)"
14 )
15 and (
16 any(ml.nlu_classifier(body.current_thread.text).intents,
17 .name == "bec" and .confidence in ("medium", "high")
18 )
19 or (
20 // confidence can be low on very short bodies
21 length(body.current_thread.text) < 150
22 and any(ml.nlu_classifier(body.current_thread.text).intents, .name == "bec")
23 )
24 )
25 and (
26 not profile.by_sender().solicited
27 or profile.by_sender().any_messages_malicious_or_spam
28 )
29 and not profile.by_sender().any_false_positives
30
31attack_types:
32 - "BEC/Fraud"
33tactics_and_techniques:
34 - "Social engineering"
35detection_methods:
36 - "Content analysis"
37 - "Natural Language Understanding"
38 - "Sender analysis"
39id: "514ffd68-a663-5b83-8a25-e380f0a7f1a7"