Body: Business Email Compromise (BEC) attempt from unsolicited sender

calendar Sep 22, 2023  ยท
Share on: linkedin copy

Detects potential Business Email Compromise (BEC) attacks by analyzing text within the email body from unsolicited senders.

Sublime rule (View on GitHub)

 1name: "Body: Business Email Compromise (BEC) attempt from unsolicited sender"
 2description: |
 3    Detects potential Business Email Compromise (BEC) attacks by analyzing text within the email body from unsolicited senders.
 4type: "rule"
 5severity: "medium"
 6source: |
 7  type.inbound
 8  and any(ml.nlu_classifier(body.current_thread.text).intents,
 9          .name in ("bec") and .confidence == "high"
10  )
11  and 1 of (
12    (
13      // mismatched From and Reply-to
14      length(headers.reply_to) > 0
15      and all(headers.reply_to, .email.domain.root_domain != sender.email.domain.root_domain)
16    ),
17    (
18      // DMARC failure
19      any(distinct(headers.hops, .authentication_results.dmarc is not null),
20          strings.ilike(.authentication_results.dmarc, "*fail")
21      )
22    ),
23    (
24      // SPF failure
25      any(distinct(headers.hops, .received_spf.verdict is not null),
26          strings.ilike(.received_spf.verdict, "*fail")
27      )
28    ),
29  )
30  
31  // negate "via" senders via dmarc authentication or gmail autoforwards
32  and (
33    not (
34      any(distinct(headers.hops, .authentication_results.dmarc is not null),
35          strings.ilike(.authentication_results.dmarc, "pass")
36          or (
37            not any([headers.return_path.email],
38                    strings.ilike(headers.return_path.local_part, "*+caf_=*")
39            )
40            and strings.contains(sender.display_name, "via")
41          )
42      )
43    )
44  )
45  
46  // unsolicited
47  and (
48    (
49      sender.email.domain.root_domain in $free_email_providers
50      and sender.email.email not in $recipient_emails
51    )
52    or (
53      sender.email.domain.root_domain not in $free_email_providers
54      and sender.email.domain.domain not in $recipient_domains
55    )
56  )  
57
58attack_types:
59  - "BEC/Fraud"
60tactics_and_techniques:
61  - "Social engineering"
62  - "Spoofing"
63detection_methods:
64  - "Content analysis"
65  - "File analysis"
66  - "Header analysis"
67  - "Sender analysis"
68id: "57eccc45-0408-55ee-ae33-8203e166254a"
to-top