Scam: Piano giveaway
This rule is designed to identify and mitigate a specific type of fraudulent activity commonly targeted at educational institutions. This rule operates by analyzing incoming email content for certain characteristics indicative of a scam involving the offer of a free piano, often framed within the context of downsizing or a giveaway.
Sublime rule (View on GitHub)
1name: "Scam: Piano giveaway"
2description: "This rule is designed to identify and mitigate a specific type of fraudulent activity commonly targeted at educational institutions. This rule operates by analyzing incoming email content for certain characteristics indicative of a scam involving the offer of a free piano, often framed within the context of downsizing or a giveaway."
3type: "rule"
4severity: "medium"
5source: |
6 length(body.links) < 10
7 and length(body.current_thread.text) < 1500
8 and (
9 // body detection
10 // be sure to update the attachment detection regexes too!
11 (
12 (
13 // items and brands
14 // Guitars
15 regex.icontains(body.current_thread.text,
16 '(?:Gibson|Fender|Lowden|Martin|Taylor|Ibanez)\s*[^\r\n]{0,50}\s*guitar',
17 )
18 // Piano/Keyboards
19 or regex.icontains(body.current_thread.text,
20 '(?:Yamaha|Kawai|Baldwin|Roland|Stei?nway(?: (?:&|and) Sons?)?|\d{4})\s*[^\r\n]{0,50}(?:baby.grand|piano|baby.grand.piano|keyboard)',
21 // strong indicators for generalized instrument
22 '(?:piano|keyboard)\s*[^\r\n]{0,50}(?:available|sale|rehome|gift)'
23 )
24 // Violins & Orchestral
25 or regex.icontains(body.current_thread.text,
26 '(?:Stradivarius|Guarneri|Yamaha|Stentor|Eastman|Cremona|Cecilio|Mendini)\s*[^\r\n]{0,50}(violin|viola|cello|celli)',
27 )
28 // brass/wind/woodwinds
29 or regex.icontains(body.current_thread.text,
30 '(?:Bach|Yamaha|Selmer|Conn|King|Jupiter|Buffet Crampon |Pearl)\s*[^\r\n]{0,50}(trombone|trumpet|saxophone|clarinet|flute)'
31 )
32
33 // generic
34 or strings.ilike(body.current_thread.text,
35 '* musical instruments *',
36 '* instrument as a gift*'
37 )
38 )
39 and (
40 // often a person is moving
41 strings.ilike(body.current_thread.text,
42 '* downsizing *',
43 '* relocating *',
44 '* relocation *',
45 '* moving *'
46 )
47 or strings.ilike(body.current_thread.text,
48 '* give away*',
49 '* generously offering *',
50 '*a loving home*',
51 '*find a new home *',
52 '*rehome these instruments *',
53 '* free donation*'
54 )
55 // generally someone died
56 or regex.icontains(body.current_thread.text,
57 'inherited instruments',
58 'late (?:husband|father|dad|wife|mother|mom)',
59 '(?:husband|father|dad|wife|mother|mom)[^\r\n]{0,50}estate'
60 )
61 // passion/love for the item
62 or strings.ilike(body.current_thread.text,
63 '* genuinely cherish*',
64 '* cherished possessions*',
65 '* passionate instrument*',
66 '* music lover*',
67 '* had a passion for music*',
68 '* appreciates music*',
69 "* special piece*",
70 "* a lot of meaning*",
71 "* profound sentimental*",
72 '* will cherish*'
73 )
74 )
75 and (
76 // it talks about a shipping fee upfront
77 regex.icontains(body.current_thread.text,
78 'shipping (?:fee|cost|arrangement)',
79 '(?:responsible|pay) for shipping',
80 'no (?:local\s)?pick.?up',
81 'delivery only',
82 'moving company'
83 )
84 // recipient or someone they know might have an interest
85 or strings.ilike(body.current_thread.text,
86 '* if you will take it *',
87 '* or have someone *',
88 '* indicate your interest *',
89 '* to someone you know *',
90 '* know someone who *',
91 '* someone you know would *',
92 '* someone who will *'
93 )
94 or regex.icontains(body.current_thread.text,
95 'if you[^\r\n]{0,20}(?:(?:might|will|would) be|are)[^\r\n]{0,20}interested',
96 '(?:any|some)one[^\r\n]{0,20}(is|will|would|might be)[^\r\n]{0,20}interested',
97 'who (?:will|would|might) appreciate',
98 )
99 or (
100 // there's an email in the body
101 regex.contains(body.current_thread.text,
102 "[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\.[A-Za-z]{2,}"
103 )
104
105 // and it's likely a freemail
106 and any($free_email_providers,
107 strings.icontains(body.current_thread.text, .)
108 )
109 )
110 // reply-to doesn't match sender
111 or (
112 length(headers.reply_to) > 0
113 and sender.email.email not in map(headers.reply_to, .email.email)
114 )
115 // there are no recipients
116 or length(recipients.to) == 0
117 // redirects to a phone number
118 or regex.icontains(body.current_thread.text,
119 '(?:call|contact|text)[^\r\n]{0,50} at'
120 )
121 or regex.icontains(body.current_thread.text,
122 '(?:private|personal) (?:e-?)?mail'
123 )
124 or strings.icontains(body.current_thread.text, ' kindly ')
125 )
126 )
127 or (
128 any(filter(attachments, .size < 10000),
129 (
130 // items and brands
131 // Guitars
132 regex.icontains(file.parse_text(.).text,
133 '(?:Gibson|Fender|Lowden|Martin|Taylor|Ibanez)\s*[^\r\n]{0,50}\s*guitar',
134 )
135 // Piano/Keyboards
136 or regex.icontains(file.parse_text(.).text,
137 '(?:Yamaha|Kawai|Baldwin|Roland|Stei?nway(?: (?:&|and) Sons?)?)\s*[^\r\n]{0,50}(?:baby.grand|piano|baby.grand.piano|keyboard)',
138 // strong indicators for generalized instrument
139 '(?:piano|keyboard)\s*[^\r\n]{0,50}(?:available|sale|rehome|gift)'
140 )
141 // Violins & Orchestral
142 or regex.icontains(file.parse_text(.).text,
143 '(?:Stradivarius|Guarneri|Yamaha|Stentor|Eastman|Cremona|Cecilio|Mendini)\s*[^\r\n]{0,50}(violin|viola|cello|celli)',
144 )
145 // brass/wind/woodwinds
146 or regex.icontains(file.parse_text(.).text,
147 '(?:Bach|Yamaha|Selmer|Conn|King|Jupiter|Buffet Crampon |Pearl)\s*[^\r\n]{0,50}(trombone|trumpet|saxophone|clarinet|flute)'
148 )
149
150 // generic
151 or strings.ilike(file.parse_text(.).text,
152 '* musical instruments *',
153 '* instrument as a gift*'
154 )
155 )
156 and (
157 // often a person is moving
158 strings.ilike(file.parse_text(.).text,
159 '* downsizing *',
160 '* relocating *',
161 '* relocation *',
162 '* moving *'
163 )
164 or strings.ilike(file.parse_text(.).text,
165 '* give away*',
166 '* generously offering *',
167 '*a loving home*',
168 '*find a new home *',
169 '*rehome these instruments *'
170 )
171 // generally someone died
172 or regex.icontains(file.parse_text(.).text,
173 'inherited instruments',
174 'late (?:husband|father|dad|wife|mother|mom)',
175 '(?:husband|father|dad|wife|mother|mom)[^\r\n]{0,50}estate'
176 )
177 // passion/love for the item/music
178 or strings.ilike(file.parse_text(.).text,
179 '* genuinely cherish*',
180 '* cherished possessions*',
181 '* passionate instrument*',
182 '* music lover*',
183 '* had a passion for music*',
184 '* appreciates music*',
185 "* special piece*",
186 "* a lot of meaning*",
187 "* profound sentimental*",
188 '* will cherish*'
189 )
190 )
191 and (
192 // it talks about a shipping fee upfront
193 regex.icontains(file.parse_text(.).text,
194 'shipping (?:fee|cost|arrangement)',
195 '(?:responsible|pay) for shipping',
196 'no (?:local\s)?pick.?up',
197 'delivery only',
198 'moving company'
199 )
200 or strings.ilike(file.parse_text(.).text,
201 '* if you will take it *',
202 '* or have someone *',
203 '* indicate your interest *',
204 '* to someone you know *',
205 '* know someone who *',
206 '* someone you know would *',
207 '* someone who will *'
208 )
209 or regex.icontains(file.parse_text(.).text,
210 'if you[^\r\n]{0,20}(?:(?:might|will|would) be|are)[^\r\n]{0,20}interested',
211 '(?:any|some)one[^\r\n]{0,20}(is|will|would|might be)[^\r\n]{0,20}interested',
212 'who (?:will|would|might) appreciate',
213 )
214 or (
215 // there's an email in the attachment
216 regex.contains(file.parse_text(.).text,
217 "[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\.[A-Za-z]{2,}"
218 )
219
220 // and it's likely a freemail
221 and any($free_email_providers,
222 strings.icontains(file.parse_text(..).text, .)
223 )
224 )
225 // reply-to doesn't match sender
226 or (
227 length(headers.reply_to) > 0
228 and sender.email.email not in map(headers.reply_to, .email.email)
229 )
230 // there are no recipients
231 or length(recipients.to) == 0
232 // redirects to a phone number
233 or regex.icontains(file.parse_text(.).text,
234 '(?:call|contact|text)[^\r\n]{0,50} at'
235 )
236 or regex.icontains(file.parse_text(.).text,
237 '(?:private|personal) (?:e-?)?mail'
238 )
239 or strings.icontains(file.parse_text(.).text, ' kindly ')
240 )
241 )
242 )
243 )
244
245 // not high trust sender domains
246 and not (
247 sender.email.domain.root_domain in $high_trust_sender_root_domains
248 and headers.auth_summary.dmarc.pass
249 )
250 // person provides piano lessons and offers to give a Roland baby-grand away
251 and not sender.email.domain.root_domain == 'ridleyacademy.com'
252
253attack_types:
254 - "BEC/Fraud"
255tactics_and_techniques:
256 - "Free email provider"
257detection_methods:
258 - "Content analysis"
259 - "Natural Language Understanding"
260 - "Sender analysis"
261id: "1a91a203-b1fe-52b7-9f71-cecdbf5cdce0"