Business Email Compromise: Request For Mobile Number Via Reply Thread Hijacking
This rule detects BEC attacks that use reply threads to solicit mobile numbers, evading detection rules that exclude RE: subjects.
Sublime rule (View on GitHub)
1name: "Business Email Compromise: Request For Mobile Number Via Reply Thread Hijacking"
2description: "This rule detects BEC attacks that use reply threads to solicit mobile numbers, evading detection rules that exclude RE: subjects."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and 0 < length(body.previous_threads) < 3
8 and length(attachments) == 0
9 // Check previous_threads for mobile solicitation patterns
10 and any(body.previous_threads,
11 (
12 length(.text) < 500
13 // ignore disclaimers in body length calculation
14 or (
15 any(map(filter(ml.nlu_classifier(.text).entities,
16 .name == "disclaimer"
17 ),
18 .text
19 ),
20 (length(..text) - length(.)) < 500
21 )
22 )
23 )
24 and regex.icontains(.text,
25 '(mobile|contact|current).{0,10}(phone|number|#|\bno)|whatsapp|\bcell|personalcell'
26 )
27 )
28
29 // NLU analysis on previous_threads content
30 and (
31 any(body.previous_threads,
32 any(ml.nlu_classifier(.text).intents,
33 .name in ("bec", "advance_fee") and .confidence in ("medium", "high")
34 )
35 )
36 or (
37 // confidence can be low on very short bodies
38 any(body.previous_threads, length(.text) < 550)
39 and (
40 any(body.previous_threads,
41 any(ml.nlu_classifier(.text).intents, .name == "bec")
42 )
43 or any(ml.nlu_classifier(sender.display_name).intents, .name == "bec")
44 or any(body.previous_threads,
45 any(ml.nlu_classifier(.text).entities,
46 strings.icontains(.text, "kindly")
47 )
48 )
49 )
50 )
51 )
52 // Sender analysis
53 and (
54 not profile.by_sender().solicited
55 or profile.by_sender().any_messages_malicious_or_spam
56 )
57 and not profile.by_sender().any_messages_benign
58 // not high trust sender domains
59 and (
60 (
61 sender.email.domain.root_domain in $high_trust_sender_root_domains
62 and not headers.auth_summary.dmarc.pass
63 )
64 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
65 )
66 // Ensure this is likely a hijacked thread (sender doesn't match thread participants)
67 and (
68 length(headers.references) > 0
69 or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
70 )
71
72attack_types:
73 - "BEC/Fraud"
74tactics_and_techniques:
75 - "Social engineering"
76 - "Thread hijacking"
77detection_methods:
78 - "Content analysis"
79 - "Natural Language Understanding"
80 - "Sender analysis"
81id: "0282f346-7175-5d9c-9b10-a3e99462d263"