Extortion / sextortion (first-time sender)

Detects extortion and sextortion attempts by analyzing the email body text from a first-time sender.

Sublime rule (View on GitHub)

 1name: "Extortion / sextortion (first-time sender)"
 2description: |
 3        Detects extortion and sextortion attempts by analyzing the email body text from a first-time sender.
 4references: 
 5  - "https://krebsonsecurity.com/2018/07/sextortion-scam-uses-recipients-hacked-passwords/"
 6type: "rule"
 7severity: "low"
 8source: |
 9  type.inbound 
10  and any([body.html.display_text, body.plain.raw],
11  any(ml.nlu_classifier(.).intents,
12        .name == "extortion" and .confidence == "high"
13      )
14      and (
15        any(ml.nlu_classifier(.).entities, .name == "financial")
16      )
17  )
18
19  and (
20          (
21              sender.email.domain.root_domain in $free_email_providers
22              and sender.email.email not in $sender_emails
23          )
24          or (
25              sender.email.domain.root_domain not in $free_email_providers
26              and sender.email.domain.domain not in $sender_domains
27          )
28          // many extortion emails spoof sender domains and fail sender authentication
29          or any(headers.hops, .authentication_results.dmarc == "fail")
30  )  
31
32tags:
33  - "Machine Learning"
34  - "Natural Language Understanding"
35  - "Extortion"
36  - "Sextortion"

Related rules

to-top