Extortion / sextortion (untrusted sender)

calendar Aug 8, 2025  ·
Share on: linkedin copy

Detects extortion and sextortion attempts by analyzing the email body text from an untrusted sender.

Sublime rule (View on GitHub)

  1name: "Extortion / sextortion (untrusted sender)"
  2description: |
  3    Detects extortion and sextortion attempts by analyzing the email body text from an untrusted sender.
  4references:
  5  - "https://krebsonsecurity.com/2018/07/sextortion-scam-uses-recipients-hacked-passwords/"
  6type: "rule"
  7severity: "low"
  8source: |
  9  type.inbound
 10  and length(filter(body.links, .display_text is not null)) < 10
 11  and not (
 12    ml.nlu_classifier(body.current_thread.text).language == "english"
 13    and any(beta.ml_topic(body.html.display_text).topics,
 14            .name in (
 15              "News and Current Events",
 16              "Newsletters and Digests",
 17              "Advertising and Promotions"
 18            )
 19            and .confidence == "high"
 20    )
 21  )
 22  and (
 23    (
 24      any(ml.nlu_classifier(strings.replace_confusables(body.current_thread.text)).intents,
 25          .name == "extortion" and .confidence == "high"
 26      )
 27      and any(ml.nlu_classifier(strings.replace_confusables(body.current_thread.text
 28                                )
 29              ).entities,
 30              .name == "financial"
 31      )
 32    )
 33    // manual indicators failsafe
 34    or 3 of (
 35      // malware terms
 36      regex.icontains(strings.replace_confusables(body.current_thread.text),
 37                      "(?:(?:spy|mal)ware|t[rŗ]ojan|remote (?:[aḁ]ccess|control)|infiltrat(?:ed|ion))"
 38      ),
 39      // actions recorded
 40      regex.icontains(strings.replace_confusables(body.current_thread.text),
 41                      "(?:po[rŗ]n|adult (?:web)?site|webcam|mastu[rŗ]bating|je[rŗ]king off|pleasu[rŗ]ing you[rŗ]self|getting off|explicit)"
 42      ),
 43      regex.icontains(strings.replace_confusables(body.current_thread.text),
 44                      "pe[rŗ]ve[rŗ]t|pe[rŗ]ve[rŗ]sion|mastu[rŗ]bat"
 45      ),
 46      // a timeframe to pay
 47      regex.icontains(strings.replace_confusables(body.current_thread.text),
 48                      '[ilo0-9]{2} (?:hou[rŗ]s|uu[rŗ])',
 49                      '(?:one|two|th[rŗ]ee|\d) days?'
 50      ),
 51      // a promise from the actor
 52      regex.icontains(strings.replace_confusables(body.current_thread.text),
 53                      '(?:pe[rŗ]manently|will) delete|([rŗ]emove|destroy) (?:\w+\s*){0,4} (?:data|evidence|videos?)'
 54      ),
 55      // a threat from the actor
 56      regex.icontains(strings.replace_confusables(body.current_thread.text),
 57                      '(?:sen[dt]|forward)\s*(?:\w+\s*){0,2}\s*to\s*(?:\w+\s*){0,3}\s*.{0,10}(?:contacts|media|family|friends|coworkers)'
 58      ),
 59      // bitcoin language (excluding newsletters)
 60      (
 61        regex.icontains(strings.replace_confusables(body.current_thread.text),
 62                        'bitc[oöة]+in|\bbtc\b|blockchain'
 63        )
 64        // negate cryptocurrency newsletters
 65        and not (
 66          any(body.links,
 67              strings.icontains(.display_text, "unsubscribe")
 68              and (
 69                strings.icontains(.href_url.path, "unsubscribe")
 70                // handle mimecast URL rewrites
 71                or (
 72                  .href_url.domain.root_domain == 'mimecastprotect.com'
 73                  and strings.icontains(.href_url.query_params,
 74                                        sender.email.domain.root_domain
 75                  )
 76                )
 77              )
 78          )
 79        )
 80      ),
 81      (
 82        regex.icontains(strings.replace_confusables(body.current_thread.text),
 83                        '(?:contact the police|(?:bitcoin|\bbtc\b).{0,20}wallet)'
 84        )
 85        and regex.icontains(strings.replace_confusables(body.current_thread.text),
 86                            '(?:\b[13][a-km-zA-HJ-NP-Z0-9]{24,34}\b)|\bX[1-9A-HJ-NP-Za-km-z]{33}\b|\b(?:0x[a-fA-F0-9]{40})\b|\b[LM3][a-km-zA-HJ-NP-Z1-9]{26,33}\b|\b[48][0-9AB][1-9A-HJ-NP-Za-km-z]{93}\b'
 87        )
 88      ),
 89      regex.icontains(strings.replace_confusables(body.current_thread.text),
 90                      'bc1q.{0,50}\b'
 91      )
 92    )
 93  )
 94  and (
 95    not profile.by_sender().solicited
 96    or (
 97      profile.by_sender().any_messages_malicious_or_spam
 98      and not profile.by_sender().any_messages_benign
 99    )
100    or any(headers.hops, any(.fields, .name == "X-Google-Group-Id"))
101  
102    // many extortion emails spoof sender domains and fail sender authentication
103    or (
104      not headers.auth_summary.dmarc.pass
105      or headers.auth_summary.dmarc.pass is null
106      or not headers.auth_summary.spf.pass
107    )
108  )
109  
110  // negate benign newsletters that mention cyber extortion
111  and not (
112    any(body.links,
113        strings.icontains(.display_text, "unsubscribe")
114        and strings.icontains(.href_url.path, "unsubscribe")
115        // newsletters are typically longer than the average extortion script
116        and length(body.current_thread.text) > 2000
117    )
118  )
119  and length(body.current_thread.text) < 6000
120  // negate highly trusted sender domains unless they fail DMARC authentication
121  and (
122    (
123      sender.email.domain.root_domain in $high_trust_sender_root_domains
124      and not headers.auth_summary.dmarc.pass
125    )
126    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
127  )  
128
129attack_types:
130  - "Extortion"
131tactics_and_techniques:
132  - "Social engineering"
133  - "Spoofing"
134detection_methods:
135  - "Content analysis"
136  - "Header analysis"
137  - "Natural Language Understanding"
138  - "Sender analysis"
139id: "265913eb-2ccd-5f77-9a09-f6d8539fd2f6"
to-top