Suspicious request for financial information

calendar Oct 6, 2025  ยท
Share on: linkedin copy

Email is from a suspicious sender and contains a request for financial information, such as AR reports.

Sublime rule (View on GitHub)

 1name: "Suspicious request for financial information"
 2description: "Email is from a suspicious sender and contains a request for financial information, such as AR reports."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and length(attachments) <= 1
 8  and length(recipients.to) <= 2
 9  // suspicious sender
10  and (
11    (
12      length(headers.reply_to) > 0
13      and all(headers.reply_to,
14              .email.domain.root_domain != sender.email.domain.root_domain
15              and .email.domain.root_domain not in $org_domains
16      )
17    )
18    or sender.email.domain.root_domain in $free_email_providers
19    or profile.by_sender().days_known < 3
20  )
21  // specific financial language
22  and (
23    regex.icontains(subject.subject,
24                    '\b(Aged|Age?ing) (Payables|Receivables|Report)',
25                    'reconcill?iation (report|statement).*(issued (settlement|advice)s?)|billing records?'
26    )
27    or (
28      regex.icontains(body.current_thread.text,
29                      '\b(Aged|Age?ing) (Payables|Receivables|Report)',
30                      '(updated|recent) (\bAR\b|\b\AP\b|\bAR\b \& \bAP\b|accounts?) (Payables|Receivables|Reports)',
31                      '(send|forward|provide).*remittance (advice|statements?)'
32      )
33      or strings.icontains(body.current_thread.text,
34                           "copy of a current statement"
35      )
36      or (
37        strings.icontains(body.current_thread.text, "please send all past due")
38        and strings.icontains(body.current_thread.text, "current invoices")
39      )
40    )
41    // suspicious link display text
42    or (
43      any(body.links,
44          regex.icontains(.display_text,
45                          '(Payment|Remittance|Settlement|Transfer) ?Batch',
46          )
47      )
48    )
49    // suspicious sender display name
50    or (
51      regex.icontains(sender.display_name,
52                      'Account(s)? Payable (?:Dep(\.|t\.?|artment)|e?Receipt)'
53      )
54      // sender email listed as a recipient or recipients undisclosed/null
55      and (
56        (
57          sender.email.email in map(recipients.to, .email.email)
58          or (length(recipients.to) == 0 or length(recipients.to) is null)
59        )
60        // non-benign nlu intent 
61        or any(ml.nlu_classifier(body.current_thread.text).intents,
62               .name != "benign"
63        )
64      )
65    )
66  )
67  // negate resume related/job inquiry outreach 
68  and not (
69    any(ml.nlu_classifier(body.current_thread.text).topics,
70        .name == "Professional and Career Development" and .confidence == "high"
71    )
72    and any(ml.nlu_classifier(body.current_thread.text).intents,
73            .name == "benign" and .confidence != "low"
74    )
75  )
76  and (
77    (
78      sender.email.domain.root_domain in $high_trust_sender_root_domains
79      and not headers.auth_summary.dmarc.pass
80    )
81    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
82  )
83  and not profile.by_sender().any_messages_benign  
84
85attack_types:
86  - "BEC/Fraud"
87tactics_and_techniques:
88  - "Free email provider"
89  - "Impersonation: Employee"
90  - "Impersonation: VIP"
91  - "Social engineering"
92detection_methods:
93  - "Content analysis"
94  - "Header analysis"
95  - "Sender analysis"
96id: "4ebdaa4d-4db2-56c6-9a6c-220ad49b7681"
to-top