Business Email Compromise (BEC) with request for mobile number

This rule detects unsolicited messages with a small plain text body, that is attempting to solicit a mobile number.

Sublime rule (View on GitHub)

 1name: "Business Email Compromise (BEC) with request for mobile number"
 2description: "This rule detects unsolicited messages with a small plain text body, that is attempting to solicit a mobile number."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and length(body.current_thread.text) < 500
 8  and length(attachments) == 0
 9  and regex.contains(body.current_thread.text,
10                     "(email|send|shoot|give|provide) me"
11  )
12  and regex.contains(body.current_thread.text,
13                     "(cell(/s?phone)?.{0,10}(phone|number|#|no)|whatsapp)"
14  )
15  and any(ml.nlu_classifier(body.current_thread.text).intents,
16          .name == "bec" and .confidence in ("medium", "high")
17  )
18  and (
19    not profile.by_sender().solicited
20    or profile.by_sender().any_messages_malicious_or_spam
21  )
22  and not profile.by_sender().any_false_positives  
23
24attack_types:
25  - "BEC/Fraud"
26tactics_and_techniques:
27  - "Social engineering"
28detection_methods:
29  - "Content analysis"
30  - "Natural Language Understanding"
31  - "Sender analysis"
32id: "514ffd68-a663-5b83-8a25-e380f0a7f1a7"
to-top