Spam: Fake dating profile notification
Detects dating-themed messages from free email providers containing links with the recipient's email address embedded in URL parameters, combined with suspicious language or topics in the message body.
Sublime rule (View on GitHub)
1name: "Spam: Fake dating profile notification"
2description: "Detects dating-themed messages from free email providers containing links with the recipient's email address embedded in URL parameters, combined with suspicious language or topics in the message body."
3type: "rule"
4severity: "low"
5source: |
6 type.inbound
7 and sender.email.domain.root_domain in $free_email_providers
8 // not a reply
9 and length(headers.references) == 0
10 and 0 < length(distinct(body.current_thread.links, .href_url.domain.root_domain)
11 ) <= 3
12 and any(body.links,
13 (
14 any(values(.href_url.query_params_decoded),
15 any(.,
16 strings.parse_email(.).email in map(recipients.to,
17 .email.email
18 )
19 )
20 )
21 )
22 or regex.icontains(.display_text,
23 '(?:(open|view|read|private).{0,15}message)'
24 )
25 or any([.href_url.path, .display_text],
26 any((ml.nlu_classifier(.).topics),
27 .name in ("Romance", "Sexually Explicit Messages")
28 )
29 )
30 // visit the URL and check the effecitve url
31 or any(values(ml.link_analysis(.).effective_url.query_params_decoded),
32 any(.,
33 strings.parse_email(.).email in map(recipients.to,
34 .email.email
35 )
36 )
37 )
38 )
39 and (
40 any(ml.nlu_classifier(body.current_thread.text).entities,
41 .name == "org"
42 and strings.ilike(.text,
43 "*Flirt*",
44 "*Singles*",
45 "*Date*",
46 "*Dating*",
47 "*Girls*",
48 "*Love*",
49 "*Hook*up*"
50 )
51 )
52 or any(ml.nlu_classifier(body.current_thread.text).topics, .name == "Romance")
53 )
54
55attack_types:
56 - "Spam"
57tactics_and_techniques:
58 - "Free email provider"
59 - "Social engineering"
60detection_methods:
61 - "Content analysis"
62 - "Header analysis"
63 - "Natural Language Understanding"
64 - "Sender analysis"
65 - "URL analysis"
66id: "0f33fea2-1508-5ae8-a31b-9d498dfcadba"