Business Email Compromise (BEC) attempt from untrusted sender (French/Français)

calendar Nov 14, 2024  ·
Share on: linkedin copy

Detects potential Business Email Compromise (BEC) attacks by searching for common French BEC language within the email body from first-time senders.

Sublime rule (View on GitHub)

 1name: "Business Email Compromise (BEC) attempt from untrusted sender (French/Français)"
 2description: "Detects potential Business Email Compromise (BEC) attacks by searching for common French BEC language within the email body from first-time senders."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and length(body.links) == 0
 8  and ml.nlu_classifier(body.current_thread.text).language == "french"
 9  and 1 of (
10    regex.icontains(subject.subject,
11                    '(mise (a|à) jour|changé|changement).{0,20}(bancaire|de banque)'
12    ),
13    regex.icontains(body.current_thread.text,
14                    '(changement|changé) de (banque)|changement bancaire|coordonnées.{0,20}(compte|banque|bancaire|salaire)',
15    ),
16    (regex.icontains(body.current_thread.text, 'parler.{0,20}confiance'))
17  )
18  // negating legit replies
19  and not (
20    (
21      strings.istarts_with(subject.subject, "RE:")
22      // out of office auto-reply
23      // the NLU model will handle these better natively soon
24      or strings.istarts_with(subject.subject, "Automatic reply:")
25      or regex.imatch(subject.subject,
26                      '(\[[^\]]+\]\s?){0,3}(re|fwd?|automat.*)\s?:.*'
27      )
28    )
29    and (
30      length(headers.references) > 0
31      or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
32    )
33  )
34  and (
35    not profile.by_sender().solicited
36    or (
37      profile.by_sender().any_messages_malicious_or_spam
38      and not profile.by_sender().any_false_positives
39    )
40  )
41  
42  // negate highly trusted sender domains unless they fail DMARC authentication
43  and (
44    (
45      sender.email.domain.root_domain in $high_trust_sender_root_domains
46      and not headers.auth_summary.dmarc.pass
47    )
48    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
49  )  
50
51attack_types:
52  - "BEC/Fraud"
53tactics_and_techniques:
54  - "Social engineering"
55detection_methods:
56  - "Content analysis"
57  - "Header analysis"
58  - "Sender analysis"
59id: "b7d1e096-d9cc-5a79-9753-5d9565794433"
to-top