Display name: 'kindly' with urgent language indicators
Detects messages where the sender's display name contains 'kindly' combined with urgent action words commonly used in social engineering attacks, such as urgent, ASAP, verify, confirm, or expedite.
Sublime rule (View on GitHub)
1name: "Display name: 'kindly' with urgent language indicators"
2description: "Detects messages where the sender's display name contains 'kindly' combined with urgent action words commonly used in social engineering attacks, such as urgent, ASAP, verify, confirm, or expedite."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and strings.icontains(sender.display_name, "kindly")
8 and (
9 strings.icontains(sender.display_name, 'cell number')
10 or strings.icontains(sender.display_name, 'expedite')
11 or strings.icontains(sender.display_name, 'urgent')
12 or strings.icontains(sender.display_name, 'contact number')
13 or strings.icontains(sender.display_name, 'review')
14 or strings.icontains(sender.display_name, 'confirm')
15 or strings.icontains(sender.display_name, 'ASAP')
16 or strings.icontains(sender.display_name, 'Follow Up')
17 or strings.icontains(sender.display_name, 'nicely')
18 or strings.icontains(sender.display_name, 'btc')
19 or strings.icontains(sender.display_name, 'Reply')
20 or strings.icontains(sender.display_name, 'RESPOND')
21 or strings.icontains(sender.display_name, 'URGENTLY')
22 or strings.icontains(sender.display_name, 'VERIFY')
23 or strings.icontains(sender.display_name, 'convenience')
24 or strings.icontains(sender.display_name, 'Response')
25 )
26
27attack_types:
28 - "BEC/Fraud"
29 - "Credential Phishing"
30tactics_and_techniques:
31 - "Social engineering"
32detection_methods:
33 - "Sender analysis"
34id: "82ca0ff1-e823-5930-aa2d-7d2b572a528b"