Investor solicitation with organization targeting

 1name: "Investor solicitation with organization targeting"
 2description: "Detects messages targeting organizations with investment solicitations that specifically reference the recipient's organization by extracting the organization name and matching it to the recipient's email domain."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    // subject contains recipient's org name
 9    any(recipients.to,
10        strings.icontains(subject.subject, .email.domain.sld)
11        and regex.imatch(.email.domain.sld, '.{2,}')
12    )
13    or
14    // body extracts org name matching recipient domain
15    any(regex.extract(body.current_thread.text,
16                      '(?P<org>[a-zA-Z]{2,20})\s(?:recently\s)?came to our attention'
17        ),
18        any(recipients.to,
19            strings.icontains(.email.domain.domain, ..named_groups["org"])
20        )
21    )
22  )
23  and any(headers.reply_to,
24          .email.domain.root_domain != sender.email.domain.root_domain
25  )
26  // greeting uses recipient's email local_part
27  and any(recipients.to,
28          (
29            strings.icontains(body.current_thread.text,
30                              strings.concat("Dear ", .email.local_part)
31            )
32            or any(regex.extract(.email.local_part, '^(?P<first>[^._]+)'),
33                   strings.icontains(body.current_thread.text,
34                                     strings.concat("Dear ",
35                                                    .named_groups["first"]
36                                     )
37                   )
38            )
39          )
40  )
41  // financial/investment cold outreach language
42  and (
43    2 of (
44      strings.icontains(body.current_thread.text, "alternative investments"),
45      strings.icontains(body.current_thread.text, "raising capital"),
46      strings.icontains(body.current_thread.text, "came to our attention"),
47      strings.icontains(body.current_thread.text, "private markets"),
48      strings.icontains(body.current_thread.text, "fundraising"),
49      strings.icontains(body.current_thread.text, "investment opportunities"),
50      strings.icontains(body.current_thread.text, "introductory"),
51      strings.icontains(body.current_thread.text, "commitment size"),
52      strings.icontains(body.current_thread.text, "ultra-high-net-worth"),
53      strings.icontains(body.current_thread.text, "deployed capital"),
54      strings.icontains(body.current_thread.text, "value creation"),
55      strings.icontains(body.current_thread.text, "capital planning")
56    )
57    or (
58      any(ml.nlu_classifier(body.current_thread.text).topics,
59          .name == "Financial Communications"
60      )
61      and any(ml.nlu_classifier(body.current_thread.text).topics,
62              .name == "Out of Band Pivot"
63      )
64      and any(ml.nlu_classifier(body.current_thread.text).topics,
65              .name == "B2B Cold Outreach"
66      )
67    )
68  )  
69attack_types:
70  - "BEC/Fraud"
71tactics_and_techniques:
72  - "Social engineering"
73detection_methods:
74  - "Content analysis"
75id: "3b2165c9-7c3d-5cce-a3ec-778e7895d653"