Business Email Compromise (BEC) with request for mobile number

calendar Apr 4, 2025  ·
Share on: linkedin copy

This rule detects unsolicited messages with a small plain text body, that is attempting to solicit a mobile number.

Sublime rule (View on GitHub)

 1name: "Business Email Compromise (BEC) with request for mobile number"
 2description: "This rule detects unsolicited messages with a small plain text body, that is attempting to solicit a mobile number."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and length(body.current_thread.text) < 500
 8  and length(attachments) == 0
 9  
10  and regex.icontains(body.current_thread.text,
11                     '(mobile|contact|current).{0,10}(phone|number|#|\bno)|whatsapp|\bcell|personalcell'
12  )
13  and (
14    any(ml.nlu_classifier(body.current_thread.text).intents,
15        .name in ("bec", "advance_fee") and .confidence in ("medium", "high")
16    )
17    or (
18      // confidence can be low on very short bodies
19      length(body.current_thread.text) < 550
20      and (
21        any(ml.nlu_classifier(body.current_thread.text).intents, .name == "bec")
22        or any(ml.nlu_classifier(sender.display_name).intents, .name == "bec")
23        or any(ml.nlu_classifier(body.current_thread.text).entities,
24               strings.icontains(.text, "kindly")
25        )
26      )
27    )
28  )
29  and (
30    (
31      (
32        length(headers.references) > 0
33        or not any(headers.hops,
34                   any(.fields, strings.ilike(.name, "In-Reply-To"))
35        )
36      )
37      and not (
38        (
39          strings.istarts_with(subject.subject, "RE:")
40          or strings.istarts_with(subject.subject, "RES:")
41          or strings.istarts_with(subject.subject, "R:")
42          or strings.istarts_with(subject.subject, "ODG:")
43          or strings.istarts_with(subject.subject, "答复:")
44          or strings.istarts_with(subject.subject, "AW:")
45          or strings.istarts_with(subject.subject, "TR:")
46          or strings.istarts_with(subject.subject, "FWD:")
47          or regex.imatch(subject.subject, '(\[[^\]]+\]\s?){0,3}(re|fwd?|automat.*)\s?:.*')
48        )
49      )
50    )
51    or length(headers.references) == 0
52  )
53  and (
54    not profile.by_sender().solicited
55    or profile.by_sender().any_messages_malicious_or_spam
56  )
57  and not profile.by_sender().any_false_positives  
58
59attack_types:
60  - "BEC/Fraud"
61tactics_and_techniques:
62  - "Social engineering"
63detection_methods:
64  - "Content analysis"
65  - "Natural Language Understanding"
66  - "Sender analysis"
67id: "514ffd68-a663-5b83-8a25-e380f0a7f1a7"
to-top