Body: Business Email Compromise (BEC) attempt from unsolicited sender
Detects potential Business Email Compromise (BEC) attacks by analyzing text within the email body from unsolicited senders.
Sublime rule (View on GitHub)
1name: "Body: Business Email Compromise (BEC) attempt from unsolicited sender"
2description: |
3 Detects potential Business Email Compromise (BEC) attacks by analyzing text within the email body from unsolicited senders.
4type: "rule"
5severity: "medium"
6source: |
7 type.inbound
8 and any(ml.nlu_classifier(body.current_thread.text).intents,
9 .name in ("bec") and .confidence == "high"
10 )
11 and 1 of (
12 (
13 // mismatched From and Reply-to
14 length(headers.reply_to) > 0
15 and all(headers.reply_to, .email.domain.root_domain != sender.email.domain.root_domain)
16 ),
17 (
18 // DMARC failure
19 any(distinct(headers.hops, .authentication_results.dmarc is not null),
20 strings.ilike(.authentication_results.dmarc, "*fail")
21 )
22 ),
23 (
24 // SPF failure
25 any(distinct(headers.hops, .received_spf.verdict is not null),
26 strings.ilike(.received_spf.verdict, "*fail")
27 )
28 ),
29 )
30
31 // negate "via" senders via dmarc authentication or gmail autoforwards
32 and (
33 not (
34 any(distinct(headers.hops, .authentication_results.dmarc is not null),
35 strings.ilike(.authentication_results.dmarc, "pass")
36 or (
37 not any([headers.return_path.email],
38 strings.ilike(headers.return_path.local_part, "*+caf_=*")
39 )
40 and strings.contains(sender.display_name, "via")
41 )
42 )
43 )
44 )
45
46 // unsolicited
47 and (
48 (
49 sender.email.domain.root_domain in $free_email_providers
50 and sender.email.email not in $recipient_emails
51 )
52 or (
53 sender.email.domain.root_domain not in $free_email_providers
54 and sender.email.domain.domain not in $recipient_domains
55 )
56 )
57
58attack_types:
59 - "BEC/Fraud"
60tactics_and_techniques:
61 - "Social engineering"
62 - "Spoofing"
63detection_methods:
64 - "Content analysis"
65 - "File analysis"
66 - "Header analysis"
67 - "Sender analysis"
68id: "57eccc45-0408-55ee-ae33-8203e166254a"