BEC/Fraud: Fake investment outreach from suspicious TLD
Detects fake investment solicitation emails using "Investment into {company}" subject lines from suspicious TLDs. This campaign targets businesses with templated cold outreach purporting to represent family offices or private equity firms, using disposable domains with DGA-like characteristics.
Sublime rule (View on GitHub)
1name: "BEC/Fraud: Fake investment outreach from suspicious TLD"
2description: |
3 Detects fake investment solicitation emails using "Investment into {company}"
4 subject lines from suspicious TLDs. This campaign targets businesses with
5 templated cold outreach purporting to represent family offices or private
6 equity firms, using disposable domains with DGA-like characteristics.
7type: "rule"
8severity: "medium"
9source: |
10 type.inbound
11 and strings.istarts_with(subject.base, 'investment into')
12 and sender.email.domain.tld in $suspicious_tlds
13tags:
14 - "Attack surface reduction"
15attack_types:
16 - "BEC/Fraud"
17tactics_and_techniques:
18 - "Social engineering"
19detection_methods:
20 - "Header analysis"
21 - "Sender analysis"
22 - "Content analysis"
23id: "5d4c4a15-661c-5fd1-9d5f-1c72c8230be8"