Suspicious Request for Financial Information

 1name: "Suspicious Request for Financial Information"
 2description: "Email is from a suspicious sender and contains a request for financial information, such as AR reports."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  // no attachments
 8  and length(attachments) == 0
 9  // direct to recipient
10  and length(recipients.to) == 1
11  // suspicious sender
12  and (
13    (
14      length(headers.reply_to) > 0
15      and all(headers.reply_to,
16              .email.domain.root_domain != sender.email.domain.root_domain
17              and .email.domain.root_domain not in $org_domains
18      )
19    )
20    or sender.email.domain.root_domain in $free_email_providers
21    or profile.by_sender().days_known < 3
22  )
23  // specific financial language
24  and (
25    regex.icontains(subject.subject,
26                    '\b(Aged|Age?ing) (Payables|Receivables|Report)'
27    )
28    or regex.icontains(body.current_thread.text,
29                       '\b(Aged|Age?ing) (Payables|Receivables|Report)',
30                       "updated (AR|accounts? (Payables|Receivables))"
31    )
32  )
33  and (
34    (
35      sender.email.domain.root_domain in $high_trust_sender_root_domains
36      and not headers.auth_summary.dmarc.pass
37    )
38    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
39  )
40  and not profile.by_sender().any_false_positives  
41
42attack_types:
43  - "BEC/Fraud"
44tactics_and_techniques:
45  - "Free email provider"
46  - "Impersonation: Employee"
47  - "Impersonation: VIP"
48  - "Social engineering"
49detection_methods:
50  - "Content analysis"
51  - "Header analysis"
52  - "Sender analysis"
53id: "4ebdaa4d-4db2-56c6-9a6c-220ad49b7681"