Honorific greeting BEC attempt with sender and reply-to mismatch
Detects generic BEC/Fraud scams by analyzing text within the email body from mismatched senders with other suspicious indicators.
Sublime rule (View on GitHub)
1name: "Honorific greeting BEC attempt with sender and reply-to mismatch"
2description: |
3 Detects generic BEC/Fraud scams by analyzing text within the email body from mismatched senders with other suspicious indicators.
4type: "rule"
5severity: "low"
6source: |
7 type.inbound
8 // mismatched sender (From) and Reply-to + freemail
9 and any(headers.reply_to,
10 length(headers.reply_to) > 0
11 and all(headers.reply_to,
12 .email.domain.root_domain != sender.email.domain.root_domain
13 and .email.domain.root_domain in $free_email_providers
14 )
15 )
16
17 // use of honorific
18 and regex.icontains(body.current_thread.text,
19 '(?:Mr|Mrs|Ms|Miss|Dr|Prof|Sir|Lady|Rev)\.?[ \t]+'
20 )
21
22 // BEC-themed language
23 and (
24 any(ml.nlu_classifier(body.current_thread.text).intents, .name in ("bec", "advance_fee"))
25 and any(ml.nlu_classifier(body.current_thread.text).entities,
26 .name == "request"
27 )
28 )
29
30 // negate highly trusted sender domains unless they fail DMARC authentication
31 and (
32 (
33 sender.email.domain.root_domain in $high_trust_sender_root_domains
34 and not headers.auth_summary.dmarc.pass
35 )
36 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
37 )
38 and (
39 (
40 profile.by_sender().prevalence in ("new", "outlier")
41 and not profile.by_sender().solicited
42 )
43 or (
44 profile.by_sender().any_messages_malicious_or_spam
45 and not profile.by_sender().any_false_positives
46 )
47 )
48 and not profile.by_sender().any_false_positives
49
50attack_types:
51 - "BEC/Fraud"
52tactics_and_techniques:
53 - "Free email provider"
54 - "Social engineering"
55detection_methods:
56 - "Content analysis"
57 - "Header analysis"
58 - "Natural Language Understanding"
59 - "Sender analysis"
60id: "aa41b1b7-155c-5812-b431-25ac415538a6"