Business Email Compromise (BEC) attempt from untrusted sender
Detects potential Business Email Compromise (BEC) attacks by analyzing text within the email body from first-time senders.
Sublime rule (View on GitHub)
1name: "Business Email Compromise (BEC) attempt from untrusted sender"
2description: |
3 Detects potential Business Email Compromise (BEC) attacks by analyzing text within the email body from first-time senders.
4type: "rule"
5severity: "medium"
6source: |
7 type.inbound
8 and any(ml.nlu_classifier(body.current_thread.text).intents,
9 .name in ("bec") and .confidence == "high"
10 )
11 // negating legit replies
12 and not (
13 (
14 (
15 subject.is_reply
16 or subject.is_forward
17 // out of office auto-reply
18 // the NLU model will handle these better natively soon
19 or strings.istarts_with(subject.subject, "Automatic reply:")
20 )
21 and (
22 length(headers.references) > 0
23 or headers.in_reply_to is not null
24 )
25 )
26 or (
27 // calendar invite responses
28 regex.icontains(subject.base, '(?:Accepted|Declined|New Time Proposed|Tentative):')
29 and any(attachments, .content_type == "text/calendar")
30 and profile.by_sender_email().solicited
31 )
32 )
33 and (
34 not profile.by_sender().solicited
35 or (
36 profile.by_sender().any_messages_malicious_or_spam
37 and not profile.by_sender().any_messages_benign
38 )
39 )
40
41 // negate highly trusted sender domains unless they fail DMARC authentication
42 and (
43 (
44 sender.email.domain.root_domain in $high_trust_sender_root_domains
45 and not headers.auth_summary.dmarc.pass
46 )
47 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
48 )
49
50attack_types:
51 - "BEC/Fraud"
52tactics_and_techniques:
53 - "Social engineering"
54detection_methods:
55 - "Content analysis"
56 - "Header analysis"
57 - "Natural Language Understanding"
58 - "Sender analysis"
59id: "96d4c35a-ca53-559e-9db3-349dbbdffc20"