BEC/Fraud - Job Scam Fake thread or plaintext pivot to freemail
Detects potential job scams using plaintext or fake threads attempting to pivot to a freemail address from an unsolicited sender.
Sublime rule (View on GitHub)
1name: "BEC/Fraud - Job Scam Fake thread or plaintext pivot to freemail"
2description: "Detects potential job scams using plaintext or fake threads attempting to pivot to a freemail address from an unsolicited sender."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and any(ml.nlu_classifier(body.current_thread.text).entities,
8 .name in ("greeting", "salutation")
9 )
10
11 // most likely to occur in plain text
12 and (
13 body.html.raw is null
14 or
15
16 // HTML is not null but fake thread
17 (
18 strings.istarts_with(subject.subject, "RE:")
19 or strings.istarts_with(subject.subject, "FWD:")
20 )
21 and (
22 (length(headers.references) == 0 and headers.in_reply_to is null)
23 or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
24 )
25 )
26 and 3 of (
27 any([subject.subject, body.current_thread.text],
28 regex.icontains(., '(full|part).time')
29 ),
30 strings.ilike(body.current_thread.text, '*job*'),
31 regex.icontains(body.current_thread.text, '\bHR\b'),
32 strings.ilike(body.current_thread.text, '*manager*'),
33 strings.ilike(body.current_thread.text, '*commission*'),
34 strings.ilike(body.current_thread.text, '*hourly*'),
35 strings.ilike(body.current_thread.text, '*prior experience*'),
36 strings.ilike(body.current_thread.text, '*company rep*'),
37 strings.ilike(body.current_thread.text, "100% legal")
38 )
39
40 // all attachments are images or there's no attachments
41 and (
42 (
43 length(attachments) > 0
44 and all(attachments, .file_type in $file_types_images)
45 )
46 or length(attachments) == 0
47 )
48
49 // there's an email in the body
50 and regex.contains(body.current_thread.text,
51 "[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\.[A-Za-z]{2,}"
52 )
53
54 // and it's likely a freemail
55 and any($free_email_providers, strings.icontains(body.current_thread.text, .))
56
57 // and that email doesn't match the sender domain
58 and (
59 all(body.links, .href_url.domain.root_domain != sender.email.domain.domain)
60 or sender.email.domain.root_domain in $free_email_providers
61 )
62 and (
63 (
64 not profile.by_sender().solicited
65 and not profile.by_sender().any_false_positives
66 )
67 or profile.by_sender().any_messages_malicious_or_spam
68 )
69 and not profile.by_sender().any_false_positives
70
71attack_types:
72 - "BEC/Fraud"
73tactics_and_techniques:
74 - "Free email provider"
75 - "Out of band pivot"
76detection_methods:
77 - "Content analysis"
78 - "File analysis"
79 - "Natural Language Understanding"
80id: "ce21c151-90c2-5573-b19e-3dcbcfc0a195"