Link: Remittance payment request with timeline template

Jun 4, 2026 ·

Detects messages containing references to business days and account information with links containing 'remittance' in the URL path, commonly used in financial fraud schemes. This rule is looking at a specific template we're seeing in use with a expedited timeline.

Sublime rule (View on GitHub)

 1name: "Link: Remittance payment request with timeline template"
 2description: "Detects messages containing references to business days and account information with links containing 'remittance' in the URL path, commonly used in financial fraud schemes. This rule is looking at a specific template we're seeing in use with a expedited timeline."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and strings.icontains(body.plain.raw, "business days")
 8  and strings.icontains(body.plain.raw, "account")
 9  and any(filter(body.links,
10                 .href_url.domain.root_domain not in $tranco_10k
11                 or (
12                   .href_url.domain.root_domain in $tranco_10k
13                   and (
14                     .href_url.domain.domain in $self_service_creation_platform_domains
15                     or .href_url.domain.root_domain in $self_service_creation_platform_domains
16                     or .href_url.domain.root_domain in $free_file_hosts
17                     or .href_url.domain.domain in $free_file_hosts
18                   )
19                 )
20          ),
21          strings.icontains(.href_url.path, "remittance")
22  )  
23attack_types:
24  - "BEC/Fraud"
25  - "Credential Phishing"
26tactics_and_techniques:
27  - "Social engineering"
28detection_methods:
29  - "Content analysis"
30  - "URL analysis"
31id: "10dde1bf-480e-589b-95a3-3f81b811b667"