Scam: Piano Giveaway

calendar Feb 20, 2025  ·
Share on: linkedin copy

This rule is designed to identify and mitigate a specific type of fraudulent activity commonly targeted at educational institutions. This rule operates by analyzing incoming email content for certain characteristics indicative of a scam involving the offer of a free piano, often framed within the context of downsizing or a giveaway.

Sublime rule (View on GitHub)

  1name: "Scam: Piano Giveaway"
  2description: "This rule is designed to identify and mitigate a specific type of fraudulent activity commonly targeted at educational institutions. This rule operates by analyzing incoming email content for certain characteristics indicative of a scam involving the offer of a free piano, often framed within the context of downsizing or a giveaway."
  3type: "rule"
  4severity: "medium"
  5source: |
  6  length(body.links) < 10
  7  and length(body.current_thread.text) < 1500
  8  and (
  9    // items and brands
 10    // Guitars
 11    regex.icontains(body.current_thread.text,
 12                  '(?:Gibson|Fender|Lowden|Martin|Taylor|Ibanez)\s*[^\r\n]{0,50}\s*guitar',
 13    )
 14    // Piano/Keyboards
 15    or regex.icontains(body.current_thread.text,
 16                       '(?:Yamaha|Kawai|Baldwin|Roland|Stei?nway(?: (?:&|and) Sons?)?)\s*[^\r\n]{0,50}(?:baby.grand|piano|baby.grand.piano|keyboard)',
 17    )
 18    // Violins & Orchestral 
 19    or regex.icontains(body.current_thread.text,
 20                       '(?:Stradivarius|Guarneri|Yamaha|Stentor|Eastman|Cremona|Cecilio|Mendini)\s*[^\r\n]{0,50}(violin|viola|cello|celli)',
 21    )
 22    // brass/wind/woodwinds
 23    or regex.icontains(body.current_thread.text,
 24                       '(?:Bach|Yamaha|Selmer|Conn|King|Jupiter|Buffet Crampon |Pearl)\s*[^\r\n]{0,50}(trombone|trumpet|saxophone|clarinet|flute)'
 25    )
 26  
 27    // generic
 28    or strings.ilike(body.current_thread.text, '* musical instruments *', '* instrument as a gift*')
 29  )
 30  and (
 31    // often a person is moving
 32    strings.ilike(body.current_thread.text,
 33                  '* downsizing *',
 34                  '* relocating *',
 35                  '* relocation *',
 36                  '* moving *'
 37    )
 38    or strings.ilike(body.current_thread.text,
 39                     '* give away*',
 40                     '* generously offering *',
 41                     '*a loving home*',
 42                     '*find a new home *',
 43                     '*rehome these instruments *'
 44    )
 45    // generally somone died
 46    or regex.icontains(body.current_thread.text,
 47                       'inherited instruments',
 48                       'late (?:husband|father|dad|wife|mother|mom)',
 49                       '(?:husband|father|dad|wife|mother|mom)[^\r\n]{0,50}estate'
 50    )
 51    // passion/love for the item
 52    or strings.ilike(body.current_thread.text,
 53                     '* genuinely cherish *',
 54                     '* cherished possessions *',
 55                     '* passionate instrument *',
 56                     '* had a passion for music *'
 57    )
 58  )
 59  and (
 60    // it talks about a shipping fee upfront
 61    regex.icontains(body.current_thread.text,
 62                    'shipping (?:fee|cost|arrangement)',
 63                    '(?:responsible|pay) for shipping',
 64                    'no (?:local\s)?pick.?up',
 65                    'delivery only',
 66                    'moving company'
 67    )
 68    or strings.ilike(body.current_thread.text,
 69                     '* if you will take it *',
 70                     '* or have someone *',
 71                     '* indicate your interest *',
 72                     '* to someone you know*',
 73                     '* someone you know would *'
 74                     
 75    )
 76    or regex.icontains(body.current_thread.text,
 77                       'if you (?:will be|are) interested',
 78                       'who (?:will|would) appreciate'
 79    )
 80    or (
 81      // there's an email in the body 
 82      regex.contains(body.current_thread.text,
 83                     "[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\.[A-Za-z]{2,}"
 84      )
 85  
 86      // and it's likely a freemail
 87      and any($free_email_providers,
 88              strings.icontains(body.current_thread.text, .)
 89      )
 90    )
 91    // reply-to doesn't match sender
 92    or (
 93      length(headers.reply_to) > 0
 94      and sender.email.email not in map(headers.reply_to, .email.email)
 95    )
 96    // there are no recipients
 97    or length(recipients.to) == 0
 98    // redirects to a phone number
 99    or regex.icontains(body.current_thread.text,
100                       '(?:call|contact|text)[^\r\n]{0,50} at'
101    )
102    or regex.icontains(body.current_thread.text,
103                       '(?:private|personal) (?:e-?)?mail'
104    )
105    or strings.icontains(body.current_thread.text, ' kindly ')
106  )
107  
108  // not high trust sender domains
109  and not (
110    sender.email.domain.root_domain in $high_trust_sender_root_domains
111    and headers.auth_summary.dmarc.pass
112  )
113  // person provides piano lessons and offers to give a Roland baby-grand away
114  and not sender.email.domain.root_domain == 'ridleyacademy.com'  
115attack_types:
116  - "BEC/Fraud"
117tactics_and_techniques:
118  - "Free email provider"
119detection_methods:
120  - "Content analysis"
121  - "Natural Language Understanding"
122  - "Sender analysis"
123id: "1a91a203-b1fe-52b7-9f71-cecdbf5cdce0"
to-top