Service abuse: Elastic alerts extortion

calendar May 21, 2026  ·
Share on: linkedin copy

Detects inbound messages impersonating Elastic alerts sender that contain extortion content identified through natural language processing with medium to high confidence.

Sublime rule (View on GitHub)

 1name: "Service abuse: Elastic alerts extortion"
 2description: "Detects inbound messages impersonating Elastic alerts sender that contain extortion content identified through natural language processing with medium to high confidence."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and sender.email.email == "noreply@alerts.elastic.co"
 8  and any(ml.nlu_classifier(body.current_thread.text).intents,
 9          .name == "extortion" and .confidence != "low"
10  )  
11attack_types:
12  - "Extortion"
13tactics_and_techniques:
14  - "Impersonation: Brand"
15  - "Social engineering"
16detection_methods:
17  - "Natural Language Understanding"
18  - "Sender analysis"
19id: "c8d9c249-0894-5c17-8089-a4db7a02d9d9"
to-top