Business Email Compromise (BEC) with request for mobile number

 1name: "Business Email Compromise (BEC) with request for mobile number"
 2description: "This rule detects unsolicited messages with a small plain text body, that is attempting to solicit a mobile number."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    length(body.current_thread.text) < 500
 9    or any(map(filter(ml.nlu_classifier(body.current_thread.text).entities,
10                      .name == "disclaimer"
11               ),
12               .text
13           ),
14           (length(body.current_thread.text) - length(.)) < 500
15    )
16  )
17  and length(attachments) == 0
18  and regex.icontains(body.current_thread.text,
19                      '(?:mobile|contact|current|reliable).{0,10}(?:phone|number|#|\bno)|whatsapp|\bcell|personalcell|(?:share|what).{0,25}number.{0,15}(?:connect|reach|text|message|contact|call)|(?:\bdrop|which|send.{0,5}your|best).{0,25}(?:number|\bnum\b|#).{0,15}(?:(?:connect|reach|contact|call).{0,5}you|text|message|works?\b|stay connected)|forward.{0,25}(?:\bnum\b|#)|get (?:your.{0,25}(?:number|\bnum\b|#)|in touch.{0,15}(?:via|by|through).{0,10}(?:text|phone|cell|sms|whatsapp))|(?:provide|confirm|reply.{0,15}with).{0,25}(?:direct|preferred).{0,15}(?:text.?enabled.{0,15})?(?:phone.{0,5})?(?:number|\bnum\b|#|line)|(?:share|send).{0,25}(?:direct|preferred).{0,15}(?:text.?enabled.{0,15})?(?:phone.{0,5})(?:number|\bnum\b|#|line)|(?:share|send).{0,25}preferred.{0,15}(?:text.?enabled.{0,15})?(?:number|\bnum\b|#|line)|(?:direct|preferred).{0,15}line.{0,15}(?:for|to|via).{0,10}(?:text|call|reach|contact|sms)|have.{0,15}preferred.{0,10}number'
20  )
21  and (
22    any(ml.nlu_classifier(body.current_thread.text).intents,
23        .name in ("bec", "advance_fee") and .confidence != "low"
24    )
25    or (
26      // confidence can be low on very short bodies
27      length(body.current_thread.text) < 550
28      and (
29        any(ml.nlu_classifier(body.current_thread.text).intents, .name == "bec")
30        or any(ml.nlu_classifier(sender.display_name).intents, .name == "bec")
31        or any(ml.nlu_classifier(body.current_thread.text).entities,
32               strings.icontains(.text, "kindly")
33        )
34      )
35    )
36  )
37  and (
38    (
39      (length(headers.references) > 0 or headers.in_reply_to is null)
40      and not (
41        (
42          strings.istarts_with(subject.subject, "RE:")
43          or strings.istarts_with(subject.subject, "RES:")
44          or strings.istarts_with(subject.subject, "R:")
45          or strings.istarts_with(subject.subject, "ODG:")
46          or strings.istarts_with(subject.subject, "答复:")
47          or strings.istarts_with(subject.subject, "AW:")
48          or strings.istarts_with(subject.subject, "TR:")
49          or strings.istarts_with(subject.subject, "FWD:")
50          or regex.imatch(subject.subject,
51                          '(\[[^\]]+\]\s?){0,3}(re|fwd?|automat.*)\s?:.*'
52          )
53        )
54      )
55    )
56    or length(headers.references) == 0
57  )
58  and (
59    not profile.by_sender().solicited
60    or profile.by_sender().any_messages_malicious_or_spam
61  )
62  and not profile.by_sender().any_messages_benign  
63attack_types:
64  - "BEC/Fraud"
65tactics_and_techniques:
66  - "Social engineering"
67detection_methods:
68  - "Content analysis"
69  - "Natural Language Understanding"
70  - "Sender analysis"
71id: "514ffd68-a663-5b83-8a25-e380f0a7f1a7"