Extortion / sextortion (first-time sender)
Detects extortion and sextortion attempts by analyzing the email body text from a first-time sender.
Sublime rule (View on GitHub)
1name: "Extortion / sextortion (first-time sender)"
2description: |
3 Detects extortion and sextortion attempts by analyzing the email body text from a first-time sender.
4references:
5 - "https://krebsonsecurity.com/2018/07/sextortion-scam-uses-recipients-hacked-passwords/"
6type: "rule"
7severity: "low"
8source: |
9 type.inbound
10 and any([body.html.display_text, body.plain.raw],
11 any(ml.nlu_classifier(.).intents,
12 .name == "extortion" and .confidence == "high"
13 )
14 and (
15 any(ml.nlu_classifier(.).entities, .name == "financial")
16 )
17 )
18
19 and (
20 (
21 sender.email.domain.root_domain in $free_email_providers
22 and sender.email.email not in $sender_emails
23 )
24 or (
25 sender.email.domain.root_domain not in $free_email_providers
26 and sender.email.domain.domain not in $sender_domains
27 )
28 // many extortion emails spoof sender domains and fail sender authentication
29 or any(headers.hops, .authentication_results.dmarc == "fail")
30 )
31
32tags:
33 - "Machine Learning"
34 - "Natural Language Understanding"
35 - "Extortion"
36 - "Sextortion"
Related rules
- Employee impersonation with urgent request (first-time sender)
- Attachment: Adobe branded PDF file linking to a password-protected file from first-time sender
- Body: Business Email Compromise (BEC) attempt from first-time sender
- Callback Phishing NLU body or attachment from first-time sender
- Domain Impersonation: Freemail ReplyTo_Local Lookalike with Financial Request