Scam: Piano giveaway
This rule is designed to identify and mitigate a specific type of fraudulent activity commonly targeted at educational institutions. This rule operates by analyzing incoming email content for certain characteristics indicative of a scam involving the offer of a free piano, often framed within the context of downsizing or a giveaway.
Sublime rule (View on GitHub)
1name: "Scam: Piano giveaway"
2description: "This rule is designed to identify and mitigate a specific type of fraudulent activity commonly targeted at educational institutions. This rule operates by analyzing incoming email content for certain characteristics indicative of a scam involving the offer of a free piano, often framed within the context of downsizing or a giveaway."
3type: "rule"
4severity: "medium"
5source: |
6 length(body.links) < 10
7 and length(body.current_thread.text) < 2000
8 and (
9 // body detection
10 // be sure to update the attachment detection regexes too!
11 (
12 (
13 // items and brands
14 // Guitars
15 regex.icontains(body.current_thread.text,
16 '(?:Gibson|Fender|Lowden|Martin|Taylor|Ibanez|Knaggs)\s*[^\r\n]{0,50}\s*guitar',
17 'guitar\s*[^\r\n]{0,50}\s*(?:Gibson|Fender|Lowden|Martin|Taylor|Ibanez|Knaggs)',
18 )
19 // Piano/Keyboards
20 or regex.icontains(body.current_thread.text,
21 '(?:Yamaha|Kawai|Baldwin|Roland|Stei?nway(?: (?:&|and) Sons?)?|\d{4})\s*[^\r\n]{0,50}(?:baby.grand|piano|baby.grand.piano|keyboard)',
22 '(?:baby.grand|piano|baby.grand.piano|keyboard)\s*[^\r\n]{0,50}(?:Yamaha|Kawai|Baldwin|Roland|Stei?nway(?: (?:&|and) Sons?)?|\d{4})',
23 // strong indicators for generalized instrument
24 '(?:piano|keyboard)\s*[^\r\n]{0,50}(?:available|sale|rehome|gift)'
25 )
26 // Violins & Orchestral
27 or regex.icontains(body.current_thread.text,
28 '(?:Stradivarius|Guarneri|Yamaha|Stentor|Eastman|Cremona|Cecilio|Mendini)\s*[^\r\n]{0,50}(violin|viola|cello|celli)',
29 )
30 // brass/wind/woodwinds
31 or regex.icontains(body.current_thread.text,
32 '(?:Bach|Yamaha|Selmer|Conn|King|Jupiter|Buffet Crampon |Pearl)\s*[^\r\n]{0,50}(trombone|trumpet|saxophone|clarinet|flute)'
33 )
34
35 // generic
36 or strings.ilike(body.current_thread.text,
37 '* musical instruments *',
38 '* instrument as a gift*'
39 )
40 )
41 and (
42 // often a person is moving
43 strings.ilike(body.current_thread.text,
44 '* downsizing *',
45 '* relocating *',
46 '* to relocate *',
47 '* relocation *',
48 '* moving *'
49 )
50 or strings.ilike(body.current_thread.text,
51 '* give away*',
52 '* generously offering *',
53 '*a loving home*',
54 '*a good home*',
55 '*find a new home *',
56 '*rehome these instruments *',
57 '* free donation*',
58 '*free*member of the music community*'
59 )
60 // generally someone died
61 or regex.icontains(body.current_thread.text,
62 'inherited instruments',
63 'late (?:husband|father|dad|wife|mother|mom)',
64 '(?:husband|father|dad|wife|mother|mom)[^\r\n]{0,50}estate'
65 )
66 // passion/love for the item
67 or strings.ilike(body.current_thread.text,
68 '* genuinely cherish*',
69 '* cherished possessions*',
70 '* passionate instrument*',
71 '* music lover*',
72 '* had a passion for music*',
73 '* appreciates music*',
74 "* special piece*",
75 "* a lot of meaning*",
76 "* profound sentimental*",
77 '* will cherish*',
78 '* passion for music*',
79 '* treasured items *'
80 )
81 )
82 and (
83 // it talks about a shipping fee upfront
84 regex.icontains(body.current_thread.text,
85 'shipping (?:fee|cost|arrangement)',
86 '(?:responsible|pay) for shipping',
87 'no (?:local\s)?pick.?up',
88 '(?:local\s)?pick.?up.{0,50}not available',
89 'delivery only',
90 'moving company'
91 )
92 // recipient or someone they know might have an interest
93 or strings.ilike(body.current_thread.text,
94 '* if you will take it *',
95 '* or have someone *',
96 '* indicate your interest *',
97 '* to someone you know *',
98 '* know someone who *',
99 '* someone you know would *',
100 '* someone who will *',
101 '* someone who truly *',
102 '* anyone you know *',
103 )
104 or regex.icontains(body.current_thread.text,
105 'if you[^\r\n]{0,20}(?:(?:might|will|would) be|are)[^\r\n]{0,20}interested',
106 '(?:any|some)one[^\r\n]{0,20}(is|will|would|might be)[^\r\n]{0,20}interested',
107 'who (?:will|would|might) appreciate',
108 )
109 or (
110 // there's an email in the body
111 any(regex.extract(body.current_thread.text,
112 "[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\.[A-Za-z]{2,}"
113 ),
114 strings.parse_email(.full_match).domain.domain in $free_email_providers
115 or strings.parse_email(.full_match).domain.root_domain in $free_email_providers
116 )
117 // reply-to doesn't match sender
118 or (
119 length(headers.reply_to) > 0
120 and sender.email.email not in map(headers.reply_to, .email.email)
121 )
122 // there are no recipients
123 or length(recipients.to) == 0
124 // redirects to a phone number
125 or regex.icontains(body.current_thread.text,
126 '(?:call|contact|text)[^\r\n]{0,50} at'
127 )
128 or regex.icontains(body.current_thread.text,
129 '(?:private|personal) (?:e-?)?mail'
130 )
131 or strings.icontains(body.current_thread.text, ' kindly ')
132 or strings.icontains(body.current_thread.text, ' (kindly ')
133 )
134 )
135 )
136 or (
137 any(filter(attachments, .size < 10000),
138 (
139 // items and brands
140 // Guitars
141 regex.icontains(file.parse_text(.).text,
142 '(?:Gibson|Fender|Lowden|Martin|Taylor|Ibanez|Knaggs)\s*[^\r\n]{0,50}\s*guitar',
143 'guitar\s*[^\r\n]{0,50}\s*(?:Gibson|Fender|Lowden|Martin|Taylor|Ibanez|Knaggs)',
144 )
145 // Piano/Keyboards
146 or regex.icontains(file.parse_text(.).text,
147 '(?:Yamaha|Kawai|Baldwin|Roland|Stei?nway(?: (?:&|and) Sons?)?)\s*[^\r\n]{0,50}(?:baby.grand|piano|baby.grand.piano|keyboard)',
148 '(?:baby.grand|piano|baby.grand.piano|keyboard)\s*[^\r\n]{0,50}(?:Yamaha|Kawai|Baldwin|Roland|Stei?nway(?: (?:&|and) Sons?)?|\d{4})',
149 // strong indicators for generalized instrument
150 '(?:piano|keyboard)\s*[^\r\n]{0,50}(?:available|sale|rehome|gift)'
151 )
152 // Violins & Orchestral
153 or regex.icontains(file.parse_text(.).text,
154 '(?:Stradivarius|Guarneri|Yamaha|Stentor|Eastman|Cremona|Cecilio|Mendini)\s*[^\r\n]{0,50}(violin|viola|cello|celli)',
155 )
156 // brass/wind/woodwinds
157 or regex.icontains(file.parse_text(.).text,
158 '(?:Bach|Yamaha|Selmer|Conn|King|Jupiter|Buffet Crampon |Pearl)\s*[^\r\n]{0,50}(trombone|trumpet|saxophone|clarinet|flute)'
159 )
160
161 // generic
162 or strings.ilike(file.parse_text(.).text,
163 '* musical instruments *',
164 '* instrument as a gift*'
165 )
166 )
167 and (
168 // often a person is moving
169 strings.ilike(file.parse_text(.).text,
170 '* downsizing *',
171 '* relocating *',
172 '* to relocate *',
173 '* relocation *',
174 )
175 or strings.ilike(file.parse_text(.).text,
176 '* give away*',
177 '* generously offering *',
178 '*a loving home*',
179 '*a good home*',
180 '*find a new home *',
181 '*rehome these instruments *',
182 '* free donation*',
183 '*free*member of the music community*'
184 )
185 // generally someone died
186 or regex.icontains(file.parse_text(.).text,
187 'inherited instruments',
188 'late (?:husband|father|dad|wife|mother|mom)',
189 '(?:husband|father|dad|wife|mother|mom)[^\r\n]{0,50}estate'
190 )
191 // passion/love for the item/music
192 or strings.ilike(file.parse_text(.).text,
193 '* genuinely cherish*',
194 '* cherished possessions*',
195 '* passionate instrument*',
196 '* music lover*',
197 '* had a passion for music*',
198 '* appreciates music*',
199 "* special piece*",
200 "* a lot of meaning*",
201 "* profound sentimental*",
202 '* will cherish*',
203 '* passion for music*',
204 '* treasured items *'
205 )
206 )
207 and (
208 // it talks about a shipping fee upfront
209 regex.icontains(file.parse_text(.).text,
210 'shipping (?:fee|cost|arrangement)',
211 '(?:responsible|pay) for shipping',
212 'no (?:local\s)?pick.?up',
213 '(?:local\s)?pick.?up.{0,50}not available',
214 'delivery only',
215 'moving company'
216 )
217 or strings.ilike(file.parse_text(.).text,
218 '* if you will take it *',
219 '* or have someone *',
220 '* indicate your interest *',
221 '* to someone you know *',
222 '* know someone who *',
223 '* someone you know would *',
224 '* someone who will *',
225 '* anyone you know *',
226 )
227 or regex.icontains(file.parse_text(.).text,
228 'if you[^\r\n]{0,20}(?:(?:might|will|would) be|are)[^\r\n]{0,20}interested',
229 '(?:any|some)one[^\r\n]{0,20}(is|will|would|might be)[^\r\n]{0,20}interested',
230 'who (?:will|would|might) appreciate',
231 )
232 // there's an email in the body
233 or any(regex.extract(file.parse_text(.).text,
234 "[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\.[A-Za-z]{2,}"
235 ),
236 strings.parse_email(.full_match).domain.domain in $free_email_providers
237 or strings.parse_email(.full_match).domain.root_domain in $free_email_providers
238 )
239
240 // reply-to doesn't match sender
241 or (
242 length(headers.reply_to) > 0
243 and sender.email.email not in map(headers.reply_to, .email.email)
244 )
245 // there are no recipients
246 or length(recipients.to) == 0
247 // redirects to a phone number
248 or regex.icontains(file.parse_text(.).text,
249 '(?:call|contact|text)[^\r\n]{0,50} at'
250 )
251 or regex.icontains(file.parse_text(.).text,
252 '(?:private|personal) (?:e-?)?mail'
253 )
254 or strings.icontains(file.parse_text(.).text, ' kindly ')
255 or strings.icontains(file.parse_text(.).text, ' (kindly ')
256 )
257 )
258 )
259 )
260
261 // not high trust sender domains
262 and not (
263 sender.email.domain.root_domain in $high_trust_sender_root_domains
264 and headers.auth_summary.dmarc.pass
265 )
266 and not sender.email.domain.root_domain in (
267 'ridleyacademy.com', // person provides piano lessons and offers to give a Roland baby-grand away
268 'mountainpiano.com' // legitimate piano moving company in Denver
269 )
270attack_types:
271 - "BEC/Fraud"
272tactics_and_techniques:
273 - "Free email provider"
274detection_methods:
275 - "Content analysis"
276 - "Natural Language Understanding"
277 - "Sender analysis"
278id: "1a91a203-b1fe-52b7-9f71-cecdbf5cdce0"