Fraudulent order confirmation/shipping notification from Chinese sender domain
Detects an order confirmation/shipping notification from a suspicious sender domain based in China. The order may be legitimately placed by the user, but the store is fraudulent and it is unlikely that their order will arrive. Links to these e-commerce sites have been observed in online advertising. We recommend enabling a custom warning banner to alert users and prompt them to contact their bank to recover their funds.
Sublime rule (View on GitHub)
1name: "Fraudulent order confirmation/shipping notification from Chinese sender domain"
2description: "Detects an order confirmation/shipping notification from a suspicious sender domain based in China. The order may be legitimately placed by the user, but the store is fraudulent and it is unlikely that their order will arrive. Links to these e-commerce sites have been observed in online advertising. We recommend enabling a custom warning banner to alert users and prompt them to contact their bank to recover their funds."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 // direct to recipient
8 and length(recipients.to) == 1
9 and length(body.previous_threads) == 0
10
11 // Known patterns
12 and (sender.display_name is null or sender.email.local_part == "support")
13 and all(headers.reply_to, .email.domain.root_domain == sender.email.domain.root_domain)
14
15 // Alibaba Cloud nameservers
16 and length(network.whois(sender.email.domain).name_servers) > 0
17 and all(network.whois(sender.email.domain).name_servers,
18 .root_domain == "hichina.com"
19 )
20
21 // Shipping notification
22 and any(ml.nlu_classifier(body.current_thread.text).topics,
23 .name in ('Shipping and Package', "Order Confirmations")
24 )
25attack_types:
26 - "BEC/Fraud"
27tactics_and_techniques:
28 - "Social engineering"
29detection_methods:
30 - "Content analysis"
31 - "Natural Language Understanding"
32 - "Sender analysis"
33 - "Whois"
34id: "4392a14e-421e-5e2f-8659-a92d1a6bb1fd"