Extortion / sextortion (untrusted sender)

Detects extortion and sextortion attempts by analyzing the email body text from an untrusted sender.

Sublime rule (View on GitHub)

 1name: "Extortion / sextortion (untrusted sender)"
 2description: |
 3    Detects extortion and sextortion attempts by analyzing the email body text from an untrusted sender.
 4references:
 5  - "https://krebsonsecurity.com/2018/07/sextortion-scam-uses-recipients-hacked-passwords/"
 6type: "rule"
 7severity: "low"
 8source: |
 9  type.inbound
10  and (
11    (
12      any(ml.nlu_classifier(body.current_thread.text).intents,
13          .name == "extortion" and .confidence == "high"
14      )
15      and any(ml.nlu_classifier(body.current_thread.text).entities,
16              .name == "financial"
17      )
18    )
19    // manual indicators failsafe
20    or 3 of (
21      regex.icontains(body.current_thread.text, "((spy|mal)ware|trojan)"),
22      regex.icontains(body.current_thread.text,
23                      "porn|adult|webcam|masturbating|jerking off|pleasuring yourself|getting off"
24      ),
25      regex.icontains(body.current_thread.text, "pervert|perversion"),
26      regex.icontains(body.current_thread.text, '\d\d hours'),
27      strings.icontains(body.current_thread.text, "permanently delete"),
28      (
29        strings.icontains(body.current_thread.text, "contact the police")
30        and regex.icontains(body.current_thread.text,
31                            '(\b[13][a-km-zA-HJ-NP-Z0-9]{24,33}\b)|\bX[1-9A-HJ-NP-Za-km-z]{33}\b|\b(0x[a-fA-F0-9]{40})\b|\b[LM3][a-km-zA-HJ-NP-Z1-9]{26,33}\b|\b[48][0-9AB][1-9A-HJ-NP-Za-km-z]{93}\b'
32        )
33      ),
34      regex.icontains(body.current_thread.text, 'bc1q.{0,50}\b')
35    )
36  )
37  and (
38    profile.by_sender().prevalence in ("new", "outlier")
39    or (
40      profile.by_sender().any_messages_malicious_or_spam
41      and not profile.by_sender().any_false_positives
42    )
43    or any(headers.hops, any(.fields, .name == "X-Google-Group-Id"))
44  
45    // many extortion emails spoof sender domains and fail sender authentication
46    or any(headers.hops,
47           .authentication_results.dmarc == "fail"
48           or .authentication_results.compauth.verdict not in ("pass", "softpass")
49    )
50  )
51  and length(body.current_thread.text) < 6000  
52
53attack_types:
54  - "Extortion"
55tactics_and_techniques:
56  - "Social engineering"
57  - "Spoofing"
58detection_methods:
59  - "Content analysis"
60  - "Header analysis"
61  - "Natural Language Understanding"
62  - "Sender analysis"
63id: "265913eb-2ccd-5f77-9a09-f6d8539fd2f6"
to-top