Business Email Compromise (BEC) with request for mobile number

calendar May 26, 2026  ·
Share on: linkedin copy

This rule detects unsolicited messages with a small plain text body, that is attempting to solicit a mobile number.

Sublime rule (View on GitHub)

 1name: "Business Email Compromise (BEC) with request for mobile number"
 2description: "This rule detects unsolicited messages with a small plain text body, that is attempting to solicit a mobile number."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    length(body.current_thread.text) < 500
 9    or any(map(filter(ml.nlu_classifier(body.current_thread.text).entities,
10                      .name == "disclaimer"
11               ),
12               .text
13           ),
14           (length(body.current_thread.text) - length(.)) < 500
15    )
16  )
17  and length(attachments) == 0
18  and regex.icontains(body.current_thread.text,
19                      '(?:mobile|contact|current|reliable).{0,10}(?:phone|number|#|\bno)|whatsapp|\bcell|personalcell|(?:share|what).{0,25}number.{0,15}(?:connect|reach|text|message|contact|call)|(?:\bdrop|which|send.{0,5}your|best).{0,25}(?:number|\bnum\b|#).{0,15}(?:(?:connect|reach|contact|call).{0,5}you|text|message|works?\b|stay connected)|forward.{0,25}(?:\bnum\b|#)|get (?:your.{0,25}(?:number|\bnum\b|#)|in touch.{0,15}(?:via|by|through).{0,10}(?:text|phone|cell|sms|whatsapp))|(?:provide|confirm|reply.{0,15}with).{0,25}(?:direct|preferred).{0,15}(?:text.?enabled.{0,15})?(?:phone.{0,5})?(?:number|\bnum\b|#|line)|(?:share|send).{0,25}(?:direct|preferred).{0,15}(?:text.?enabled.{0,15})?(?:phone.{0,5})(?:number|\bnum\b|#|line)|(?:share|send).{0,25}preferred.{0,15}(?:text.?enabled.{0,15})?(?:number|\bnum\b|#|line)|(?:direct|preferred).{0,15}line.{0,15}(?:for|to|via).{0,10}(?:text|call|reach|contact|sms)'
20  )
21  and (
22    any(ml.nlu_classifier(body.current_thread.text).intents,
23        .name in ("bec", "advance_fee") and .confidence != "low"
24    )
25    or (
26      // confidence can be low on very short bodies
27      length(body.current_thread.text) < 550
28      and (
29        any(ml.nlu_classifier(body.current_thread.text).intents, .name == "bec")
30        or any(ml.nlu_classifier(sender.display_name).intents, .name == "bec")
31        or any(ml.nlu_classifier(body.current_thread.text).entities,
32               strings.icontains(.text, "kindly")
33        )
34      )
35    )
36  )
37  and (
38    (
39      (
40        length(headers.references) > 0
41        or not any(headers.hops,
42                   any(.fields, strings.ilike(.name, "In-Reply-To"))
43        )
44      )
45      and not (
46        (
47          strings.istarts_with(subject.subject, "RE:")
48          or strings.istarts_with(subject.subject, "RES:")
49          or strings.istarts_with(subject.subject, "R:")
50          or strings.istarts_with(subject.subject, "ODG:")
51          or strings.istarts_with(subject.subject, "答复:")
52          or strings.istarts_with(subject.subject, "AW:")
53          or strings.istarts_with(subject.subject, "TR:")
54          or strings.istarts_with(subject.subject, "FWD:")
55          or regex.imatch(subject.subject,
56                          '(\[[^\]]+\]\s?){0,3}(re|fwd?|automat.*)\s?:.*'
57          )
58        )
59      )
60    )
61    or length(headers.references) == 0
62  )
63  and (
64    not profile.by_sender().solicited
65    or profile.by_sender().any_messages_malicious_or_spam
66  )
67  and not profile.by_sender().any_messages_benign  
68
69attack_types:
70  - "BEC/Fraud"
71tactics_and_techniques:
72  - "Social engineering"
73detection_methods:
74  - "Content analysis"
75  - "Natural Language Understanding"
76  - "Sender analysis"
77id: "514ffd68-a663-5b83-8a25-e380f0a7f1a7"
to-top