Suspicious Request for Financial Information
Email is from a suspicious sender and contains a request for financial information, such as AR reports.
Sublime rule (View on GitHub)
1name: "Suspicious Request for Financial Information"
2description: "Email is from a suspicious sender and contains a request for financial information, such as AR reports."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 // no attachments
8 and length(attachments) == 0
9 // direct to recipient
10 and length(recipients.to) == 1
11 // suspicious sender
12 and (
13 (
14 length(headers.reply_to) > 0
15 and all(headers.reply_to,
16 .email.domain.root_domain != sender.email.domain.root_domain
17 and .email.domain.root_domain not in $org_domains
18 )
19 )
20 or sender.email.domain.root_domain in $free_email_providers
21 or profile.by_sender().days_known < 3
22 )
23 // specific financial language
24 and (
25 regex.icontains(subject.subject,
26 '\b(Aged|Age?ing) (Payables|Receivables|Report)'
27 )
28 or regex.icontains(body.current_thread.text,
29 '\b(Aged|Age?ing) (Payables|Receivables|Report)',
30 'updated (\bAR\b|accounts? (Payables|Receivables))'
31 )
32 )
33 and (
34 (
35 sender.email.domain.root_domain in $high_trust_sender_root_domains
36 and not headers.auth_summary.dmarc.pass
37 )
38 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
39 )
40 and not profile.by_sender().any_false_positives
41
42attack_types:
43 - "BEC/Fraud"
44tactics_and_techniques:
45 - "Free email provider"
46 - "Impersonation: Employee"
47 - "Impersonation: VIP"
48 - "Social engineering"
49detection_methods:
50 - "Content analysis"
51 - "Header analysis"
52 - "Sender analysis"
53id: "4ebdaa4d-4db2-56c6-9a6c-220ad49b7681"