Spam: Attendee List solicitation

This rule detects messages claiming to have the attendee list from a specific event, they may list various information such as the number of contacts, the demographic and sample contacts. The messages typically offer to send pricing information upon request.

Sublime rule (View on GitHub)

 1name: "Spam: Attendee List solicitation"
 2description: "This rule detects messages claiming to have the attendee list from a specific event, they may list various information such as the number of contacts, the demographic and sample contacts. The messages typically offer to send pricing information upon request."
 3type: "rule"
 4severity: "low"
 5source: |
 6  type.inbound
 7  and length(body.current_thread.text) < 2000
 8  and length(body.links) < 5
 9  and regex.icontains(body.current_thread.text,
10                      "(Attendee|Member|Participant)(s)?.{0,20}(list|database)"
11  )
12  and regex.icontains(body.current_thread.text,
13                      "(interested|accessing|purchas|obtain|acuir|sample)"
14  )
15  
16  and not profile.by_sender().solicited
17  and not profile.by_sender().any_false_positives  
18
19tags:
20  - "Attack surface reduction"
21attack_types:
22  - "Spam"
23detection_methods:
24  - "Content analysis"
25  - "Sender analysis"
26id: "69715b62-7747-5f85-a399-dc72c3f8cb7d"

Related rules

to-top