Honorific greeting BEC attempt with sender and reply-to mismatch
Detects generic BEC/Fraud scams by analyzing text within the email body from mismatched senders with other suspicious indicators.
Sublime rule (View on GitHub)
1name: "Honorific greeting BEC attempt with sender and reply-to mismatch"
2description: |
3 Detects generic BEC/Fraud scams by analyzing text within the email body from mismatched senders with other suspicious indicators.
4type: "rule"
5severity: "low"
6source: |
7 type.inbound
8 // mismatched sender (From) and Reply-to + freemail
9 and any(headers.reply_to,
10 length(headers.reply_to) > 0
11 and all(headers.reply_to,
12 .email.domain.root_domain != sender.email.domain.root_domain
13 and .email.domain.root_domain in $free_email_providers
14 )
15 )
16
17 // use of honorific
18 and regex.icontains(body.current_thread.text,
19 '(?:Mr|Mrs|Ms|Miss|Dr|Prof|Sir|Lady|Rev)\.?[ \t]+'
20 )
21
22 // BEC-themed language
23 and (
24 any(ml.nlu_classifier(body.current_thread.text).intents,
25 .name in ("bec", "advance_fee")
26 )
27 and any(ml.nlu_classifier(body.current_thread.text).entities,
28 .name == "request"
29 )
30 )
31
32 // negate highly trusted sender domains unless they fail DMARC authentication
33 and (
34 (
35 sender.email.domain.root_domain in $high_trust_sender_root_domains
36 and not headers.auth_summary.dmarc.pass
37 )
38 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
39 )
40 and (
41 (
42 profile.by_sender().prevalence in ("new", "outlier")
43 and not profile.by_sender().solicited
44 )
45 or (
46 profile.by_sender().any_messages_malicious_or_spam
47 and not profile.by_sender().any_messages_benign
48 )
49 )
50 and not profile.by_sender().any_messages_benign
51attack_types:
52 - "BEC/Fraud"
53tactics_and_techniques:
54 - "Free email provider"
55 - "Social engineering"
56detection_methods:
57 - "Content analysis"
58 - "Header analysis"
59 - "Natural Language Understanding"
60 - "Sender analysis"
61id: "aa41b1b7-155c-5812-b431-25ac415538a6"