Extortion / sextortion (untrusted sender)

Detects extortion and sextortion attempts by analyzing the email body text from a first-time sender.

Sublime rule (View on GitHub)

 1name: "Extortion / sextortion (untrusted sender)"
 2description: |
 3    Detects extortion and sextortion attempts by analyzing the email body text from a first-time sender.
 4references:
 5  - "https://krebsonsecurity.com/2018/07/sextortion-scam-uses-recipients-hacked-passwords/"
 6type: "rule"
 7severity: "low"
 8source: |
 9  type.inbound
10  and (
11    (
12      any(ml.nlu_classifier(body.current_thread.text).intents,
13          .name == "extortion" and .confidence == "high"
14      )
15      and any(ml.nlu_classifier(body.current_thread.text).entities,
16              .name == "financial"
17      )
18    )
19    // manual indicators failsafe
20    or 3 of (
21      regex.icontains(body.current_thread.text, "((spy|mal)ware|trojan)"),
22      regex.icontains(body.current_thread.text,
23                      "porn|adult|webcam|masturbating|jerking off|pleasuring yourself|getting off"
24      ),
25      regex.icontains(body.current_thread.text, "pervert|perversion"),
26      regex.icontains(body.current_thread.text, '\d\d hours'),
27      strings.icontains(body.current_thread.text, "permanently delete"),
28      strings.icontains(body.current_thread.text, "contact the police")
29      and regex.icontains(body.current_thread.text,
30                          '(\b[13][a-km-zA-HJ-NP-Z0-9]{24,33}\b)|\bX[1-9A-HJ-NP-Za-km-z]{33}\b|\b(0x[a-fA-F0-9]{40})\b|\b[LM3][a-km-zA-HJ-NP-Z1-9]{26,33}\b|\b[48][0-9AB][1-9A-HJ-NP-Za-km-z]{93}\b'
31      )
32    )
33  )
34  and (
35    (
36      sender.email.domain.root_domain in $free_email_providers
37      and sender.email.email not in $sender_emails
38    )
39    or (
40      sender.email.domain.root_domain not in $free_email_providers
41      and sender.email.domain.domain not in $sender_domains
42    )
43  
44    // many extortion emails spoof sender domains and fail sender authentication
45    or any(headers.hops,
46           .authentication_results.dmarc == "fail"
47           or .authentication_results.compauth.verdict not in ("pass", "softpass")
48    )
49  )
50  and length(body.current_thread.text) < 6000  
51
52attack_types:
53  - "Extortion"
54tactics_and_techniques:
55  - "Social engineering"
56  - "Spoofing"
57detection_methods:
58  - "Content analysis"
59  - "Header analysis"
60  - "Natural Language Understanding"
61  - "Sender analysis"
62id: "265913eb-2ccd-5f77-9a09-f6d8539fd2f6"
to-top