Business Email Compromise (BEC) attempt from unsolicited sender

 1name: "Business Email Compromise (BEC) attempt from unsolicited sender"
 2description: |
 3    Detects potential Business Email Compromise (BEC) attacks by analyzing text within the email body from unsolicited senders.
 4type: "rule"
 5severity: "medium"
 6source: |
 7  type.inbound
 8  and any(ml.nlu_classifier(body.current_thread.text).intents,
 9          .name in ("bec") and .confidence == "high"
10  )
11  and 
12  // mismatched From and Reply-to
13  (
14    (
15      length(headers.reply_to) > 0
16      and all(headers.reply_to,
17              .email.domain.root_domain != sender.email.domain.root_domain
18      )
19    )
20    or not headers.auth_summary.dmarc.pass
21    or not headers.auth_summary.spf.pass
22  )
23  
24  // negate "via" senders via dmarc authentication or gmail autoforwards
25  and not (
26    strings.ilike(headers.return_path.local_part, "*+caf_=*")
27    and strings.contains(sender.display_name, "via")
28    and (headers.auth_summary.dmarc.pass)
29  )
30  and (
31    not profile.by_sender().solicited
32    or (
33      profile.by_sender().any_messages_malicious_or_spam
34      and not profile.by_sender().any_false_positives
35    )
36  )  
37
38attack_types:
39  - "BEC/Fraud"
40tactics_and_techniques:
41  - "Social engineering"
42  - "Spoofing"
43detection_methods:
44  - "Content analysis"
45  - "File analysis"
46  - "Header analysis"
47  - "Sender analysis"
48id: "57eccc45-0408-55ee-ae33-8203e166254a"