Business Email Compromise: Request For Mobile Number Via Reply Thread Hijacking

This rule detects BEC attacks that use reply threads to solicit mobile numbers, evading detection rules that exclude RE: subjects.

Sublime rule (View on GitHub)

 1name: "Business Email Compromise: Request For Mobile Number Via Reply Thread Hijacking"
 2description: "This rule detects BEC attacks that use reply threads to solicit mobile numbers, evading detection rules that exclude RE: subjects."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and 0 < length(body.previous_threads) < 3
 8  and length(attachments) == 0
 9  // Check previous_threads for mobile solicitation patterns
10  and any(body.previous_threads,
11          (
12            length(.text) < 500
13            // ignore disclaimers in body length calculation
14            or (
15              any(map(filter(ml.nlu_classifier(.text).entities,
16                             .name == "disclaimer"
17                      ),
18                      .text
19                  ),
20                  (length(..text) - length(.)) < 500
21              )
22            )
23          )
24          and regex.icontains(.text,
25                              '(mobile|contact|current).{0,10}(phone|number|#|\bno)|whatsapp|\bcell|personalcell'
26          )
27  )
28  
29  // NLU analysis on previous_threads content
30  and (
31    any(body.previous_threads,
32        any(ml.nlu_classifier(.text).intents,
33            .name in ("bec", "advance_fee") and .confidence in ("medium", "high")
34        )
35    )
36    or (
37      // confidence can be low on very short bodies
38      any(body.previous_threads, length(.text) < 550)
39      and (
40        any(body.previous_threads,
41            any(ml.nlu_classifier(.text).intents, .name == "bec")
42        )
43        or any(ml.nlu_classifier(sender.display_name).intents, .name == "bec")
44        or any(body.previous_threads,
45               any(ml.nlu_classifier(.text).entities,
46                   strings.icontains(.text, "kindly")
47               )
48        )
49      )
50    )
51  )
52  // Sender analysis
53  and (
54    not profile.by_sender().solicited
55    or profile.by_sender().any_messages_malicious_or_spam
56  )
57  and not profile.by_sender().any_messages_benign
58  // not high trust sender domains
59  and (
60    (
61      sender.email.domain.root_domain in $high_trust_sender_root_domains
62      and not headers.auth_summary.dmarc.pass
63    )
64    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
65  )
66  // Ensure this is likely a hijacked thread (sender doesn't match thread participants)
67  and (
68    length(headers.references) > 0
69    or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
70  )  
71
72attack_types:
73  - "BEC/Fraud"
74tactics_and_techniques:
75  - "Social engineering"
76  - "Thread hijacking"
77detection_methods:
78  - "Content analysis"
79  - "Natural Language Understanding"
80  - "Sender analysis"
81id: "0282f346-7175-5d9c-9b10-a3e99462d263"
to-top