Honorific greeting BEC attempt with sender and reply-to mismatch

Detects generic BEC/Fraud scams by analyzing text within the email body from mismatched senders with other suspicious indicators.

Sublime rule (View on GitHub)

 1name: "Honorific greeting BEC attempt with sender and reply-to mismatch"
 2description: |
 3    Detects generic BEC/Fraud scams by analyzing text within the email body from mismatched senders with other suspicious indicators.
 4type: "rule"
 5severity: "low"
 6source: |
 7  type.inbound
 8  // mismatched sender (From) and Reply-to + freemail
 9  and any(headers.reply_to,
10          length(headers.reply_to) > 0
11          and all(headers.reply_to,
12                  .email.domain.root_domain != sender.email.domain.root_domain
13                  and .email.domain.root_domain in $free_email_providers
14          )
15  )
16
17  // use of honorific
18  and regex.icontains(body.current_thread.text,
19                      '(?:Mr|Mrs|Ms|Miss|Dr|Prof|Sir|Lady|Rev)\.?[ \t]+'
20  )
21
22  // BEC-themed language
23  and (
24    any(ml.nlu_classifier(body.current_thread.text).intents, .name == "bec")
25    and any(ml.nlu_classifier(body.current_thread.text).entities,
26            .name == "request"
27    )
28  )
29
30  // negate highly trusted sender domains unless they fail DMARC authentication
31  and (
32    (
33      sender.email.domain.root_domain in $high_trust_sender_root_domains
34      and (
35        any(distinct(headers.hops, .authentication_results.dmarc is not null),
36            strings.ilike(.authentication_results.dmarc, "*fail")
37        )
38      )
39    )
40    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
41  )
42  and (
43    (
44      profile.by_sender().prevalence in ("new", "outlier")
45      and not profile.by_sender().solicited
46    )
47    or (
48      profile.by_sender().any_messages_malicious_or_spam
49      and not profile.by_sender().any_false_positives
50    )
51  )
52  and not profile.by_sender().any_false_positives  
53
54attack_types:
55  - "BEC/Fraud"
56tactics_and_techniques:
57  - "Free email provider"
58  - "Social engineering"
59detection_methods:
60  - "Content analysis"
61  - "Header analysis"
62  - "Natural Language Understanding"
63  - "Sender analysis"
64id: "aa41b1b7-155c-5812-b431-25ac415538a6"
to-top