Scam: Piano giveaway
This rule is designed to identify and mitigate a specific type of fraudulent activity commonly targeted at educational institutions. This rule operates by analyzing incoming email content for certain characteristics indicative of a scam involving the offer of a free piano, often framed within the context of downsizing or a giveaway.
Sublime rule (View on GitHub)
1name: "Scam: Piano giveaway"
2description: "This rule is designed to identify and mitigate a specific type of fraudulent activity commonly targeted at educational institutions. This rule operates by analyzing incoming email content for certain characteristics indicative of a scam involving the offer of a free piano, often framed within the context of downsizing or a giveaway."
3type: "rule"
4severity: "medium"
5source: |
6 length(body.links) < 10
7 and length(body.current_thread.text) < 1500
8 and (
9 // body detection
10 // be sure to update the attachment detection regexes too!
11 (
12 (
13 // items and brands
14 // Guitars
15 regex.icontains(body.current_thread.text,
16 '(?:Gibson|Fender|Lowden|Martin|Taylor|Ibanez)\s*[^\r\n]{0,50}\s*guitar',
17 )
18 // Piano/Keyboards
19 or regex.icontains(body.current_thread.text,
20 '(?:Yamaha|Kawai|Baldwin|Roland|Stei?nway(?: (?:&|and) Sons?)?|\d{4})\s*[^\r\n]{0,50}(?:baby.grand|piano|baby.grand.piano|keyboard)',
21 // strong indicators for generalized instrument
22 '(?:piano|keyboard)\s*[^\r\n]{0,50}(?:available|sale|rehome|gift)'
23 )
24 // Violins & Orchestral
25 or regex.icontains(body.current_thread.text,
26 '(?:Stradivarius|Guarneri|Yamaha|Stentor|Eastman|Cremona|Cecilio|Mendini)\s*[^\r\n]{0,50}(violin|viola|cello|celli)',
27 )
28 // brass/wind/woodwinds
29 or regex.icontains(body.current_thread.text,
30 '(?:Bach|Yamaha|Selmer|Conn|King|Jupiter|Buffet Crampon |Pearl)\s*[^\r\n]{0,50}(trombone|trumpet|saxophone|clarinet|flute)'
31 )
32
33 // generic
34 or strings.ilike(body.current_thread.text,
35 '* musical instruments *',
36 '* instrument as a gift*'
37 )
38 )
39 and (
40 // often a person is moving
41 strings.ilike(body.current_thread.text,
42 '* downsizing *',
43 '* relocating *',
44 '* relocation *',
45 '* moving *'
46 )
47 or strings.ilike(body.current_thread.text,
48 '* give away*',
49 '* generously offering *',
50 '*a loving home*',
51 '*find a new home *',
52 '*rehome these instruments *',
53 '* free donation*'
54 )
55 // generally someone died
56 or regex.icontains(body.current_thread.text,
57 'inherited instruments',
58 'late (?:husband|father|dad|wife|mother|mom)',
59 '(?:husband|father|dad|wife|mother|mom)[^\r\n]{0,50}estate'
60 )
61 // passion/love for the item
62 or strings.ilike(body.current_thread.text,
63 '* genuinely cherish*',
64 '* cherished possessions*',
65 '* passionate instrument*',
66 '* music lover*',
67 '* had a passion for music*',
68 '* appreciates music*',
69 "* special piece*",
70 "* a lot of meaning*",
71 "* profound sentimental*",
72 '* will cherish*'
73 )
74 )
75 and (
76 // it talks about a shipping fee upfront
77 regex.icontains(body.current_thread.text,
78 'shipping (?:fee|cost|arrangement)',
79 '(?:responsible|pay) for shipping',
80 'no (?:local\s)?pick.?up',
81 'delivery only',
82 'moving company'
83 )
84 // recipient or someone they know might have an interest
85 or strings.ilike(body.current_thread.text,
86 '* if you will take it *',
87 '* or have someone *',
88 '* indicate your interest *',
89 '* to someone you know *',
90 '* know someone who *',
91 '* someone you know would *',
92 '* someone who will *',
93 '* someone who truly *'
94 )
95 or regex.icontains(body.current_thread.text,
96 'if you[^\r\n]{0,20}(?:(?:might|will|would) be|are)[^\r\n]{0,20}interested',
97 '(?:any|some)one[^\r\n]{0,20}(is|will|would|might be)[^\r\n]{0,20}interested',
98 'who (?:will|would|might) appreciate',
99 )
100 or (
101 // there's an email in the body
102 regex.contains(body.current_thread.text,
103 "[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\.[A-Za-z]{2,}"
104 )
105
106 // and it's likely a freemail
107 and any($free_email_providers,
108 strings.icontains(body.current_thread.text, .)
109 )
110 )
111 // reply-to doesn't match sender
112 or (
113 length(headers.reply_to) > 0
114 and sender.email.email not in map(headers.reply_to, .email.email)
115 )
116 // there are no recipients
117 or length(recipients.to) == 0
118 // redirects to a phone number
119 or regex.icontains(body.current_thread.text,
120 '(?:call|contact|text)[^\r\n]{0,50} at'
121 )
122 or regex.icontains(body.current_thread.text,
123 '(?:private|personal) (?:e-?)?mail'
124 )
125 or strings.icontains(body.current_thread.text, ' kindly ')
126 )
127 )
128 or (
129 any(filter(attachments, .size < 10000),
130 (
131 // items and brands
132 // Guitars
133 regex.icontains(file.parse_text(.).text,
134 '(?:Gibson|Fender|Lowden|Martin|Taylor|Ibanez)\s*[^\r\n]{0,50}\s*guitar',
135 )
136 // Piano/Keyboards
137 or regex.icontains(file.parse_text(.).text,
138 '(?:Yamaha|Kawai|Baldwin|Roland|Stei?nway(?: (?:&|and) Sons?)?)\s*[^\r\n]{0,50}(?:baby.grand|piano|baby.grand.piano|keyboard)',
139 // strong indicators for generalized instrument
140 '(?:piano|keyboard)\s*[^\r\n]{0,50}(?:available|sale|rehome|gift)'
141 )
142 // Violins & Orchestral
143 or regex.icontains(file.parse_text(.).text,
144 '(?:Stradivarius|Guarneri|Yamaha|Stentor|Eastman|Cremona|Cecilio|Mendini)\s*[^\r\n]{0,50}(violin|viola|cello|celli)',
145 )
146 // brass/wind/woodwinds
147 or regex.icontains(file.parse_text(.).text,
148 '(?:Bach|Yamaha|Selmer|Conn|King|Jupiter|Buffet Crampon |Pearl)\s*[^\r\n]{0,50}(trombone|trumpet|saxophone|clarinet|flute)'
149 )
150
151 // generic
152 or strings.ilike(file.parse_text(.).text,
153 '* musical instruments *',
154 '* instrument as a gift*'
155 )
156 )
157 and (
158 // often a person is moving
159 strings.ilike(file.parse_text(.).text,
160 '* downsizing *',
161 '* relocating *',
162 '* relocation *',
163 '* moving *'
164 )
165 or strings.ilike(file.parse_text(.).text,
166 '* give away*',
167 '* generously offering *',
168 '*a loving home*',
169 '*find a new home *',
170 '*rehome these instruments *'
171 )
172 // generally someone died
173 or regex.icontains(file.parse_text(.).text,
174 'inherited instruments',
175 'late (?:husband|father|dad|wife|mother|mom)',
176 '(?:husband|father|dad|wife|mother|mom)[^\r\n]{0,50}estate'
177 )
178 // passion/love for the item/music
179 or strings.ilike(file.parse_text(.).text,
180 '* genuinely cherish*',
181 '* cherished possessions*',
182 '* passionate instrument*',
183 '* music lover*',
184 '* had a passion for music*',
185 '* appreciates music*',
186 "* special piece*",
187 "* a lot of meaning*",
188 "* profound sentimental*",
189 '* will cherish*'
190 )
191 )
192 and (
193 // it talks about a shipping fee upfront
194 regex.icontains(file.parse_text(.).text,
195 'shipping (?:fee|cost|arrangement)',
196 '(?:responsible|pay) for shipping',
197 'no (?:local\s)?pick.?up',
198 'delivery only',
199 'moving company'
200 )
201 or strings.ilike(file.parse_text(.).text,
202 '* if you will take it *',
203 '* or have someone *',
204 '* indicate your interest *',
205 '* to someone you know *',
206 '* know someone who *',
207 '* someone you know would *',
208 '* someone who will *'
209 )
210 or regex.icontains(file.parse_text(.).text,
211 'if you[^\r\n]{0,20}(?:(?:might|will|would) be|are)[^\r\n]{0,20}interested',
212 '(?:any|some)one[^\r\n]{0,20}(is|will|would|might be)[^\r\n]{0,20}interested',
213 'who (?:will|would|might) appreciate',
214 )
215 or (
216 // there's an email in the attachment
217 regex.contains(file.parse_text(.).text,
218 "[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\.[A-Za-z]{2,}"
219 )
220
221 // and it's likely a freemail
222 and any($free_email_providers,
223 strings.icontains(file.parse_text(..).text, .)
224 )
225 )
226 // reply-to doesn't match sender
227 or (
228 length(headers.reply_to) > 0
229 and sender.email.email not in map(headers.reply_to, .email.email)
230 )
231 // there are no recipients
232 or length(recipients.to) == 0
233 // redirects to a phone number
234 or regex.icontains(file.parse_text(.).text,
235 '(?:call|contact|text)[^\r\n]{0,50} at'
236 )
237 or regex.icontains(file.parse_text(.).text,
238 '(?:private|personal) (?:e-?)?mail'
239 )
240 or strings.icontains(file.parse_text(.).text, ' kindly ')
241 )
242 )
243 )
244 )
245
246 // not high trust sender domains
247 and not (
248 sender.email.domain.root_domain in $high_trust_sender_root_domains
249 and headers.auth_summary.dmarc.pass
250 )
251 and not sender.email.domain.root_domain in (
252 'ridleyacademy.com', // person provides piano lessons and offers to give a Roland baby-grand away
253 'mountainpiano.com' // legitimate piano moving company in Denver
254 )
255
256attack_types:
257 - "BEC/Fraud"
258tactics_and_techniques:
259 - "Free email provider"
260detection_methods:
261 - "Content analysis"
262 - "Natural Language Understanding"
263 - "Sender analysis"
264id: "1a91a203-b1fe-52b7-9f71-cecdbf5cdce0"