Service abuse: Roomsy with unrelated body content

calendar Dec 2, 2025  ยท
Share on: linkedin copy

Detects messages from Roomsy.com with a structured noreply sender pattern that contain content unrelated to travel, transportation, or order confirmations.

Sublime rule (View on GitHub)

 1name: "Service abuse: Roomsy with unrelated body content"
 2description: "Detects messages from Roomsy.com with a structured noreply sender pattern that contain content unrelated to travel, transportation, or order confirmations."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and sender.email.domain.root_domain == "roomsy.com"
 8  and regex.imatch(sender.email.local_part, "noreply[0-9]{5}")
 9  and not any(ml.nlu_classifier(body.current_thread.text).topics,
10              .name in ("Travel and Transportation", "Order Confirmations")
11  )  
12
13attack_types:
14  - "BEC/Fraud"
15  - "Credential Phishing"
16tactics_and_techniques:
17  - "Impersonation: Brand"
18  - "Social engineering"
19detection_methods:
20  - "Header analysis"
21  - "Sender analysis"
22  - "Natural Language Understanding"
23id: "18e08a5a-6984-51b8-9e7f-8bdc21c32503"
to-top