Honorific greeting BEC attempt with sender and reply-to mismatch

Detects generic BEC/Fraud scams by analyzing text within the email body from mismatched senders with other suspicious indicators.

Sublime rule (View on GitHub)

 1name: "Honorific greeting BEC attempt with sender and reply-to mismatch"
 2description: |
 3    Detects generic BEC/Fraud scams by analyzing text within the email body from mismatched senders with other suspicious indicators.
 4type: "rule"
 5severity: "low"
 6source: |
 7  type.inbound
 8  // mismatched sender (From) and Reply-to + freemail
 9  and any(headers.reply_to,
10          length(headers.reply_to) > 0
11          and all(headers.reply_to,
12                  .email.domain.root_domain != sender.email.domain.root_domain
13                  and .email.domain.root_domain in $free_email_providers
14          )
15  )
16
17  // use of honorific
18  and regex.icontains(body.current_thread.text,
19                      '(?:Mr|Mrs|Ms|Miss|Dr|Prof|Sir|Lady|Rev)\.?[ \t]+'
20  )
21
22  // BEC-themed language
23  and (
24    any(ml.nlu_classifier(body.current_thread.text).intents, .name in ("bec", "advance_fee"))
25    and any(ml.nlu_classifier(body.current_thread.text).entities,
26            .name == "request"
27    )
28  )
29
30  // negate highly trusted sender domains unless they fail DMARC authentication
31  and (
32    (
33      sender.email.domain.root_domain in $high_trust_sender_root_domains
34      and not headers.auth_summary.dmarc.pass
35    )
36    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
37  )
38  and (
39    (
40      profile.by_sender().prevalence in ("new", "outlier")
41      and not profile.by_sender().solicited
42    )
43    or (
44      profile.by_sender().any_messages_malicious_or_spam
45      and not profile.by_sender().any_false_positives
46    )
47  )
48  and not profile.by_sender().any_false_positives  
49
50attack_types:
51  - "BEC/Fraud"
52tactics_and_techniques:
53  - "Free email provider"
54  - "Social engineering"
55detection_methods:
56  - "Content analysis"
57  - "Header analysis"
58  - "Natural Language Understanding"
59  - "Sender analysis"
60id: "aa41b1b7-155c-5812-b431-25ac415538a6"
to-top