Link: RFI document reference pattern in display text

calendar Apr 1, 2026  ·
Share on: linkedin copy

Detects links with display text containing RFI (Request for Information) document reference patterns using format RFI-###-###-###, commonly used in construction and procurement fraud schemes.

Sublime rule (View on GitHub)

 1name: "Link: RFI document reference pattern in display text"
 2description: "Detects links with display text containing RFI (Request for Information) document reference patterns using format RFI-###-###-###, commonly used in construction and procurement fraud schemes."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(body.current_thread.links,
 8          regex.icontains(.display_text, '\bRFI-\d{1,5}-\d{1,5}-\d{1,5}\b')
 9          and not regex.icontains(.display_text,
10                                  '\bRFI-\d{2}-\d{2}-\d{4}\b',
11                                  '\bRFI-\d{4}-\d{2}-\d{2}\b'
12          )
13  )
14  and length(body.links) < 11  
15attack_types:
16  - "BEC/Fraud"
17tactics_and_techniques:
18  - "Social engineering"
19detection_methods:
20  - "Content analysis"
21  - "URL analysis"
22id: "1ffcfc52-a023-585f-8f9f-d1cf16bdaed3"
to-top