Body: Business Email Compromise (BEC) attempt from unsolicited sender

Detects potential Business Email Compromise (BEC) attacks by analyzing text within the email body from unsolicited senders.

Sublime rule (View on GitHub)

 1name: "Body: Business Email Compromise (BEC) attempt from unsolicited sender"
 2description: |
 3    Detects potential Business Email Compromise (BEC) attacks by analyzing text within the email body from unsolicited senders.
 4type: "rule"
 5severity: "medium"
 6source: |
 7  type.inbound
 8  and any(ml.nlu_classifier(body.current_thread.text).intents,
 9          .name in ("bec") and .confidence == "high"
10  )
11  and 1 of (
12    (
13      // mismatched From and Reply-to
14      length(headers.reply_to) > 0
15      and all(headers.reply_to, .email.domain.root_domain != sender.email.domain.root_domain)
16    ),
17    (
18      // DMARC failure
19      any(distinct(headers.hops, .authentication_results.dmarc is not null),
20          strings.ilike(.authentication_results.dmarc, "*fail")
21      )
22    ),
23    (
24      // SPF failure
25      any(distinct(headers.hops, .received_spf.verdict is not null),
26          strings.ilike(.received_spf.verdict, "*fail")
27      )
28    ),
29  )
30  
31  // negate "via" senders via dmarc authentication or gmail autoforwards
32  and (
33    not (
34      any(distinct(headers.hops, .authentication_results.dmarc is not null),
35          strings.ilike(.authentication_results.dmarc, "pass")
36          or (
37            not any([headers.return_path.email],
38                    strings.ilike(headers.return_path.local_part, "*+caf_=*")
39            )
40            and strings.contains(sender.display_name, "via")
41          )
42      )
43    )
44  )
45  
46  // unsolicited
47  and (
48    (
49      sender.email.domain.root_domain in $free_email_providers
50      and sender.email.email not in $recipient_emails
51    )
52    or (
53      sender.email.domain.root_domain not in $free_email_providers
54      and sender.email.domain.domain not in $recipient_domains
55    )
56  )  
57
58attack_types:
59  - "BEC/Fraud"
60tactics_and_techniques:
61  - "Social engineering"
62  - "Spoofing"
63detection_methods:
64  - "Content analysis"
65  - "File analysis"
66  - "Header analysis"
67  - "Sender analysis"
68id: "57eccc45-0408-55ee-ae33-8203e166254a"
to-top