Suspicious display name: Gmail sender with engaging language
Detects Gmail senders using display names with suspicious language patterns commonly associated with social engineering tactics, including urgency indicators, contact requests, and verification prompts.
Sublime rule (View on GitHub)
1name: "Suspicious display name: Gmail sender with engaging language"
2description: "Detects Gmail senders using display names with suspicious language patterns commonly associated with social engineering tactics, including urgency indicators, contact requests, and verification prompts."
3type: "rule"
4severity: "low"
5source: |
6 type.inbound
7 and 2 of (
8 strings.icontains(sender.display_name, "kindly"),
9 strings.icontains(sender.display_name, 'phone'),
10 strings.icontains(sender.display_name, 'cell'),
11 strings.icontains(sender.display_name, 'expedite'),
12 strings.icontains(sender.display_name, 'urgent'),
13 strings.icontains(sender.display_name, 'contact'),
14 strings.icontains(sender.display_name, 'review'),
15 strings.icontains(sender.display_name, 'confirm'),
16 strings.icontains(sender.display_name, 'asap'),
17 strings.icontains(sender.display_name, 'follow up'),
18 strings.icontains(sender.display_name, 'nicely'),
19 strings.icontains(sender.display_name, 'btc'),
20 strings.icontains(sender.display_name, 'reply'),
21 strings.icontains(sender.display_name, 'respond'),
22 strings.icontains(sender.display_name, 'verify'),
23 strings.icontains(sender.display_name, 'convenience'),
24 strings.icontains(sender.display_name, 'response'),
25 strings.icontains(sender.display_name, 'number'),
26 strings.icontains(sender.display_name, 'mobile'),
27 strings.icontains(sender.display_name, 'text'),
28 strings.icontains(sender.display_name, 'request'),
29 strings.icontains(sender.display_name, 'required'),
30 strings.icontains(sender.display_name, 'important'),
31 strings.icontains(sender.display_name, 'need'),
32 strings.icontains(sender.display_name, 'quick'),
33 strings.icontains(sender.display_name, 'sensitive'),
34 strings.icontains(sender.display_name, 'reach'),
35 strings.icontains(sender.display_name, 'action'),
36 (
37 strings.icontains(sender.display_name, 'monday')
38 or strings.icontains(sender.display_name, 'tuesday')
39 or strings.icontains(sender.display_name, 'wednesday')
40 or strings.icontains(sender.display_name, 'thursday')
41 or strings.icontains(sender.display_name, 'friday')
42 or strings.icontains(sender.display_name, 'saturday')
43 or strings.icontains(sender.display_name, 'sunday')
44 ),
45 (
46 strings.icontains(sender.display_name, 'january')
47 or strings.icontains(sender.display_name, 'february')
48 or strings.icontains(sender.display_name, 'march')
49 or strings.icontains(sender.display_name, 'april')
50 or strings.icontains(sender.display_name, 'may')
51 or strings.icontains(sender.display_name, 'june')
52 or strings.icontains(sender.display_name, 'july')
53 or strings.icontains(sender.display_name, 'august')
54 or strings.icontains(sender.display_name, 'september')
55 or strings.icontains(sender.display_name, 'october')
56 or strings.icontains(sender.display_name, 'november')
57 or strings.icontains(sender.display_name, 'december')
58 )
59 )
60 and sender.email.domain.domain == 'gmail.com'
61 and length(attachments) == 0
62 and length(body.current_thread.links) == 0
63attack_types:
64 - "BEC/Fraud"
65 - "Credential Phishing"
66tactics_and_techniques:
67 - "Social engineering"
68detection_methods:
69 - "Sender analysis"
70id: "82ca0ff1-e823-5930-aa2d-7d2b572a528b"