Spam: Attendee List solicitation

calendar Jul 12, 2024 · Attack surface reduction  ·
Share on: linkedin copy

This rule detects messages claiming to have the attendee list from a specific event, they may list various information such as the number of contacts, the demographic and sample contacts. The messages typically offer to send pricing information upon request.

Sublime rule (View on GitHub)

 1name: "Spam: Attendee List solicitation"
 2description: "This rule detects messages claiming to have the attendee list from a specific event, they may list various information such as the number of contacts, the demographic and sample contacts. The messages typically offer to send pricing information upon request."
 3type: "rule"
 4severity: "low"
 5source: |
 6  type.inbound
 7  and length(body.current_thread.text) < 2000
 8  and length(body.links) < 5
 9  and regex.icontains(body.current_thread.text,
10                      "(Attendee|Member|Participant|User|Visitor|Registrant|Buyer)(s)?.{0,20}(list|database)"
11  )
12  and regex.icontains(body.current_thread.text,
13                      "(interested|accessing|purchas|obtain|acuir|sample)"
14  )
15  and not regex.icontains(body.current_thread.text,
16                    "(debit card|transaction.{0,20}processed)"
17  )
18  
19  and not profile.by_sender().solicited
20  and not profile.by_sender().any_false_positives  
21
22tags:
23  - "Attack surface reduction"
24attack_types:
25  - "Spam"
26detection_methods:
27  - "Content analysis"
28  - "Sender analysis"
29id: "69715b62-7747-5f85-a399-dc72c3f8cb7d"

Related rules

to-top