Body: PayApp transaction reference pattern

calendar Mar 27, 2026  ยท
Share on: linkedin copy

Detects messages containing PayApp transaction reference numbers in a specific format (PayApp# followed by digits) in either the message body or subject line.

Sublime rule (View on GitHub)

 1name: "Body: PayApp transaction reference pattern"
 2description: "Detects messages containing PayApp transaction reference numbers in a specific format (PayApp# followed by digits) in either the message body or subject line."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and regex.icontains(body.current_thread.text, 'PayApp#\d+')
 8  and regex.icontains(body.current_thread.text, '[a-z0-9\.\+\-]+@[a-z0-9\-]+\.')
 9  and strings.icontains(subject.base, "payapp")  
10attack_types:
11  - "Callback Phishing"
12  - "BEC/Fraud"
13tactics_and_techniques:
14  - "Impersonation: Brand"
15  - "Social engineering"
16detection_methods:
17  - "Content analysis"
18id: "2dc8b3cd-d6d7-52fb-a296-b2840333925b"
to-top