Spam: Cryptocurrency airdrop/giveaway

 1name: "Spam: Cryptocurrency airdrop/giveaway"
 2description: "Detects messages promoting cryptocurrency airdrops, token claims, or wallet-related rewards."
 3type: "rule"
 4severity: "low"
 5source: |
 6  type.inbound
 7  and any(ml.nlu_classifier(body.current_thread.text).topics,
 8              .name in ("Financial Communications")
 9  )
10  and not any(ml.nlu_classifier(body.current_thread.text).topics,
11              .name in ('Newsletters and Digests', 'News and Current Events')
12  )
13  // action word
14  and (
15    strings.like(body.current_thread.text, '*airdrop*')
16    or strings.ilike(subject.base, '*airdrop*')
17    or regex.icontains(body.current_thread.text, 'receive \$\d{2,5} worth')
18    or regex.icontains(body.current_thread.text, 'claim your (allocation|airdrop|bonus|share|\$\d{2,5})')
19  )
20  and not regex.icontains(body.current_thread.text, '\$\d{2,4} (off|cash)')
21  and (
22    // crypto keyword
23    regex.icontains(body.current_thread.text,
24                  '\bmetamask\b',
25                  '\bethereum\b',
26                  '\bbinance\b',
27                  '\bgemini\b',
28                  '\bwallet\b',
29                  '\bkraken\b',
30                  '\bsolana\b',
31                  '\btrezor\b',
32                  '\bledger\b'
33    )
34    // token name, e.g. $USDT
35    or regex.contains(body.current_thread.text, '\s\$[A-Z]{3,4}\s')
36  )
37  and not (
38    sender.email.domain.root_domain in ("gemini.com", "ledger.com", "binance.com", "trezor.io", "kraken.com", "solana.com", "metamask.com", "ethereum.org", "bloomberg.com")
39    and headers.auth_summary.dmarc.pass
40  )  
41attack_types:
42  - "Spam"
43tactics_and_techniques:
44  - "Social engineering"
45  - "Impersonation: Brand"
46detection_methods:
47  - "Content analysis"
48id: "80a2e2fd-6ba1-5989-b9c5-d1e515f3dc82"