BEC/Fraud - Job Scam Fake thread or plaintext pivot to freemail

calendar Jan 8, 2024  ยท
Share on: linkedin copy

Detects potential job scams using plaintext or fake threads attempting to pivot to a freemail address from an unsolicited sender.

Sublime rule (View on GitHub)

 1name: "BEC/Fraud - Job Scam Fake thread or plaintext pivot to freemail"
 2description: "Detects potential job scams using plaintext or fake threads attempting to pivot to a freemail address from an unsolicited sender."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(ml.nlu_classifier(body.current_thread.text).entities,
 8          .name in ("greeting", "salutation")
 9  )
10  
11  // most likely to occur in plain text
12  and (
13    body.html.raw is null
14    or 
15  
16    // HTML is not null but fake thread
17    (
18      strings.istarts_with(subject.subject, "RE:")
19      or strings.istarts_with(subject.subject, "FWD:")
20    )
21    and (
22      (length(headers.references) == 0 and headers.in_reply_to is null)
23      or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
24    )
25  )
26  and 3 of (
27    any([subject.subject, body.current_thread.text],
28        regex.icontains(., '(full|part).time')
29    ),
30    strings.ilike(body.current_thread.text, '*job*'),
31    regex.icontains(body.current_thread.text, '\bHR\b'),
32    strings.ilike(body.current_thread.text, '*manager*'),
33    strings.ilike(body.current_thread.text, '*commission*'),
34    strings.ilike(body.current_thread.text, '*hourly*'),
35    strings.ilike(body.current_thread.text, '*prior experience*'),
36    strings.ilike(body.current_thread.text, '*company rep*'),
37    strings.ilike(body.current_thread.text, "100% legal")
38  )
39  
40  // all attachments are images or there's no attachments
41  and (
42    (
43      length(attachments) > 0
44      and all(attachments, .file_type in $file_types_images)
45    )
46    or length(attachments) == 0
47  )
48  
49  // there's an email in the body
50  and regex.contains(body.current_thread.text,
51                     "[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\.[A-Za-z]{2,}"
52  )
53  
54  // and it's likely a freemail
55  and any($free_email_providers, strings.icontains(body.current_thread.text, .))
56  
57  // and that email doesn't match the sender domain
58  and (
59    all(body.links, .href_url.domain.root_domain != sender.email.domain.domain)
60    or sender.email.domain.root_domain in $free_email_providers
61  )
62  and (
63    (
64      not profile.by_sender().solicited
65      and not profile.by_sender().any_false_positives
66    )
67    or profile.by_sender().any_messages_malicious_or_spam
68  )
69  and not profile.by_sender().any_false_positives  
70
71attack_types:
72  - "BEC/Fraud"
73tactics_and_techniques:
74  - "Free email provider"
75  - "Out of band pivot"
76detection_methods:
77  - "Content analysis"
78  - "File analysis"
79  - "Natural Language Understanding"
80id: "ce21c151-90c2-5573-b19e-3dcbcfc0a195"
to-top