Spam: Cryptocurrency airdrop/giveaway

calendar Oct 16, 2025  ยท
Share on: linkedin copy

Detects messages promoting cryptocurrency airdrops, token claims, or wallet-related rewards.

Sublime rule (View on GitHub)

 1name: "Spam: Cryptocurrency airdrop/giveaway"
 2description: "Detects messages promoting cryptocurrency airdrops, token claims, or wallet-related rewards."
 3type: "rule"
 4severity: "low"
 5source: |
 6  type.inbound
 7  and any(ml.nlu_classifier(body.current_thread.text).topics,
 8          .name in ("Financial Communications")
 9  )
10  and not any(ml.nlu_classifier(body.current_thread.text).topics,
11              .name in (
12                'Newsletters and Digests',
13                'News and Current Events',
14                'Legal and Compliance'
15              )
16  )
17  and not any(ml.nlu_classifier(body.current_thread.text).intents,
18              .name == "benign" and .confidence == "high"
19  )
20  // action word
21  and (
22    strings.ilike(subject.base, '*airdrop*')
23    or strings.like(body.current_thread.text, '*airdrop*')
24    or strings.ilike(subject.base, '*giveaway*')
25    or strings.like(body.current_thread.text, '*giveaway*')
26    or regex.icontains(body.current_thread.text, 'receive \$\d{2,5} worth')
27    or regex.icontains(body.current_thread.text,
28                       'claim your (allocation|airdrop|bonus|share|\$\d{2,5})'
29    )
30    or regex.icontains(body.current_thread.text, 'connect .{0,20} wallet')
31  )
32  and not regex.icontains(body.current_thread.text, '\$\d{2,4} (off|cash)')
33  and (
34    // crypto keyword
35    regex.icontains(body.current_thread.text,
36                    '\bmetamask\b',
37                    '\bethereum\b',
38                    '\bbinance\b',
39                    '\bgemini\b',
40                    '\bwallet\b',
41                    '\bkraken\b',
42                    '\bsolana\b',
43                    '\btrezor\b',
44                    '\bledger\b'
45    )
46    // token name, e.g. $USDT
47    or regex.contains(body.current_thread.text, '\s\$[A-Z]{3,4}\s')
48  )
49  and not (
50    sender.email.domain.root_domain in (
51      "gemini.com",
52      "ledger.com",
53      "binance.com",
54      "trezor.io",
55      "kraken.com",
56      "solana.com",
57      "metamask.com",
58      "ethereum.org",
59      "bloomberg.com"
60    )
61    and headers.auth_summary.dmarc.pass
62  )  
63attack_types:
64  - "Spam"
65tactics_and_techniques:
66  - "Social engineering"
67  - "Impersonation: Brand"
68detection_methods:
69  - "Content analysis"
70id: "80a2e2fd-6ba1-5989-b9c5-d1e515f3dc82"
to-top