Link: BEC with newly registered domains and financial keywords

calendar Apr 30, 2026  ·
Share on: linkedin copy

Detects Business Email Compromise attacks containing links to newly registered domains (less than 60 days old) with invoice-related language and engaging action words. The message includes financial or payment terminology and prompts the recipient to take action through suspicious links. Uses natural language processing to identify credential theft or BEC intent while filtering out benign communications.

Sublime rule (View on GitHub)

 1name: "Link: BEC with newly registered domains and financial keywords"
 2description: "Detects Business Email Compromise attacks containing links to newly registered domains (less than 60 days old) with invoice-related language and engaging action words. The message includes financial or payment terminology and prompts the recipient to take action through suspicious links. Uses natural language processing to identify credential theft or BEC intent while filtering out benign communications."
 3type: "rule"
 4severity: "medium"
 5source: |
 6    type.inbound
 7    and 0 < length(body.current_thread.links) < 15
 8    and any(body.current_thread.links,
 9            network.whois(.href_url.domain).days_old < 60
10            and regex.icontains(.display_text,
11                                '(?:view|click|download|check|validate)'
12            )
13    )
14    and regex.icontains(subject.base,
15                        '\b(?:proposal|purchase|invoice|payment|wire|agreement|contract|settlement)\b'
16    )
17    and regex.icontains(body.current_thread.text,
18                        '\bwire\b',
19                        'payment',
20                        'invoice',
21                        '\bACH\b',
22                        'kindly',
23                        'document',
24                        'urgent',
25                        'confirm'
26    )
27    and (
28      any(ml.nlu_classifier(body.current_thread.text).intents,
29          .name in ("cred_theft", "bec") and .confidence != "low"
30      )
31      or any(ml.nlu_classifier(body.current_thread.text).tags,
32             .name in ("invoice", "payment")
33      )
34    )
35    // prevent benign emails
36    and not any(ml.nlu_classifier(body.current_thread.text).intents,
37                .name == "benign"
38    )
39    // negate highly trusted sender domains unless they fail DMARC authentication
40    and not (
41      sender.email.domain.root_domain in $high_trust_sender_root_domains
42      and coalesce(headers.auth_summary.dmarc.pass, false)
43    )    
44
45attack_types:
46  - "BEC/Fraud"
47tactics_and_techniques:
48  - "Social engineering"
49  - "Evasion"
50  - "Spoofing"
51detection_methods:
52  - "Header analysis"
53  - "Sender analysis"
54  - "URL analysis"
55id: "fee020b6-4a01-5ed3-a924-b5aa4415d3e9"
to-top