Spam: Attendee List solicitation

This rule detects messages claiming to have the attendee list from a specific event, they may list various information such as the number of contacts, the demographic and sample contacts. The messages typically offer to send pricing information upon request.

Sublime rule (View on GitHub)

 1name: "Spam: Attendee List solicitation"
 2description: "This rule detects messages claiming to have the attendee list from a specific event, they may list various information such as the number of contacts, the demographic and sample contacts. The messages typically offer to send pricing information upon request."
 3type: "rule"
 4severity: "low"
 5source: |
 6  type.inbound
 7  and length(body.current_thread.text) < 2000
 8  and length(body.links) < 5
 9  and (
10    regex.icontains(body.current_thread.text,
11                    "(Attendee|Member|Participant|User|Visitor|Registrant|Buyer|Email)(s)?[^\n\r]{0,20}(list|database)"
12    )
13    or regex.icontains(body.current_thread.text,
14                    "(list|database)[^\n\r]{0,20}(Attendee|Member|Participant|User|Visitor|Registrant|Buyer|Email)(s)?"
15    )
16    or regex.icontains(body.current_thread.text,
17                       '((demand|lead\b|marketing)[^\n\r]{0,20}(manager|head|lead|supervisor|executive))'
18    )
19  )
20  and regex.icontains(body.current_thread.text,
21                      "(interested|accessing|purchas|obtain|acuir|sample)"
22  )
23  and not regex.icontains(body.current_thread.text,
24                    "(debit card|transaction.{0,20}processed)"
25  )
26  
27  
28  and not profile.by_sender().solicited
29  and not profile.by_sender().any_false_positives  
30
31tags:
32  - "Attack surface reduction"
33attack_types:
34  - "Spam"
35detection_methods:
36  - "Content analysis"
37  - "Sender analysis"
38id: "69715b62-7747-5f85-a399-dc72c3f8cb7d"

Related rules

to-top