Business Email Compromise (BEC) attempt from untrusted sender (French/Français)

calendar Jun 5, 2026  ·
Share on: linkedin copy

Detects potential Business Email Compromise (BEC) attacks by searching for common French BEC language within the email body from first-time senders.

Sublime rule (View on GitHub)

 1name: "Business Email Compromise (BEC) attempt from untrusted sender (French/Français)"
 2description: "Detects potential Business Email Compromise (BEC) attacks by searching for common French BEC language within the email body from first-time senders."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and length(body.links) == 0
 8  and ml.nlu_classifier(body.current_thread.text).language == "french"
 9  and 1 of (
10    regex.icontains(subject.subject,
11                    '(mise (a|à) jour|changé|changement).{0,20}(bancaire|de banque)'
12    ),
13    regex.icontains(body.current_thread.text,
14                    '(changement|changé) de (banque)|changement bancaire|coordonnées.{0,20}(compte|banque|bancaire|salaire)',
15    ),
16    (regex.icontains(body.current_thread.text, 'parler.{0,20}confiance'))
17  )
18  // negating legit replies
19  and not (
20    (
21      strings.istarts_with(subject.subject, "RE:")
22      // out of office auto-reply
23      // the NLU model will handle these better natively soon
24      or strings.istarts_with(subject.subject, "Automatic reply:")
25      or regex.imatch(subject.subject,
26                      '(\[[^\]]+\]\s?){0,3}(re|fwd?|automat.*)\s?:.*'
27      )
28    )
29    and (length(headers.references) > 0 or headers.in_reply_to is not null)
30  )
31  and (
32    not profile.by_sender().solicited
33    or (
34      profile.by_sender().any_messages_malicious_or_spam
35      and not profile.by_sender().any_messages_benign
36    )
37  )
38  
39  // negate highly trusted sender domains unless they fail DMARC authentication
40  and (
41    (
42      sender.email.domain.root_domain in $high_trust_sender_root_domains
43      and not headers.auth_summary.dmarc.pass
44    )
45    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
46  )  
47attack_types:
48  - "BEC/Fraud"
49tactics_and_techniques:
50  - "Social engineering"
51detection_methods:
52  - "Content analysis"
53  - "Header analysis"
54  - "Sender analysis"
55id: "b7d1e096-d9cc-5a79-9753-5d9565794433"
to-top