Suspicious request for financial information

calendar Sep 19, 2025  ยท
Share on: linkedin copy

Email is from a suspicious sender and contains a request for financial information, such as AR reports.

Sublime rule (View on GitHub)

 1name: "Suspicious request for financial information"
 2description: "Email is from a suspicious sender and contains a request for financial information, such as AR reports."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and length(attachments) <= 1
 8  and length(recipients.to) <= 2
 9  // suspicious sender
10  and (
11    (
12      length(headers.reply_to) > 0
13      and all(headers.reply_to,
14              .email.domain.root_domain != sender.email.domain.root_domain
15              and .email.domain.root_domain not in $org_domains
16      )
17    )
18    or sender.email.domain.root_domain in $free_email_providers
19    or profile.by_sender().days_known < 3
20  )
21  // specific financial language
22  and (
23    regex.icontains(subject.subject,
24                    '\b(Aged|Age?ing) (Payables|Receivables|Report)',
25                    'reconcill?iation (report|statement).*(issued (settlement|advice)s?)|billing records?'
26    )
27    or (
28      regex.icontains(body.current_thread.text,
29                      '\b(Aged|Age?ing) (Payables|Receivables|Report)',
30                      '(updated|recent) (\bAR\b|\b\AP\b|\bAR\b \& \bAP\b|accounts?) (Payables|Receivables|Reports)',
31                      '(send|forward|provide).*remittance (advice|statements?)'
32      )
33      or strings.icontains(body.current_thread.text,
34                           "copy of a current statement"
35      )
36      or (
37        strings.icontains(body.current_thread.text, "please send all past due")
38        and strings.icontains(body.current_thread.text, "current invoices")
39      )
40    )
41    // suspicious link display text
42    or (
43      any(body.links,
44          regex.icontains(.display_text,
45                          '(Payment|Remittance|Settlement|Transfer) ?Batch',
46          )
47      )
48    )
49    // suspicious sender display name
50    or (
51      regex.icontains(sender.display_name,
52                      'Account(s)? Payable Dep(\.|t\.?|artment)'
53      )
54      // sender email listed as a recipient or recipients undisclosed/null
55      and (
56        sender.email.email in map(recipients.to, .email.email)
57        or (length(recipients.to) == 0 or length(recipients.to) is null)
58      )
59    )
60  )
61  // negate resume related/job inquiry outreach 
62  and not (
63    any(ml.nlu_classifier(body.current_thread.text).topics,
64        .name == "Professional and Career Development" and .confidence == "high"
65    )
66    and any(ml.nlu_classifier(body.current_thread.text).intents,
67            .name == "benign" and .confidence != "low"
68    )
69  )
70  and (
71    (
72      sender.email.domain.root_domain in $high_trust_sender_root_domains
73      and not headers.auth_summary.dmarc.pass
74    )
75    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
76  )
77  and not profile.by_sender().any_messages_benign  
78
79attack_types:
80  - "BEC/Fraud"
81tactics_and_techniques:
82  - "Free email provider"
83  - "Impersonation: Employee"
84  - "Impersonation: VIP"
85  - "Social engineering"
86detection_methods:
87  - "Content analysis"
88  - "Header analysis"
89  - "Sender analysis"
90id: "4ebdaa4d-4db2-56c6-9a6c-220ad49b7681"
to-top