Suspicious request for financial information
Email is from a suspicious sender and contains a request for financial information, such as AR reports.
Sublime rule (View on GitHub)
1name: "Suspicious request for financial information"
2description: "Email is from a suspicious sender and contains a request for financial information, such as AR reports."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and length(attachments) <= 1
8 and length(recipients.to) <= 2
9 // suspicious sender
10 and (
11 (
12 length(headers.reply_to) > 0
13 and all(headers.reply_to,
14 .email.domain.root_domain != sender.email.domain.root_domain
15 and .email.domain.root_domain not in $org_domains
16 )
17 )
18 or sender.email.domain.root_domain in $free_email_providers
19 or profile.by_sender().days_known < 3
20 )
21 // specific financial language
22 and (
23 regex.icontains(subject.subject,
24 '\b(Aged|Age?ing) (Payables|Receivables|Report)',
25 'reconcill?iation (report|statement).*(issued (settlement|advice)s?)|billing records?'
26 )
27 or (
28 regex.icontains(body.current_thread.text,
29 '\b(Aged|Age?ing) (Payables|Receivables|Report)',
30 '(updated|recent) (\bAR\b|\b\AP\b|\bAR\b \& \bAP\b|accounts?) (Payables|Receivables|Reports)',
31 '(shared?|send|forward|provide).*remittance (advice|receipts?|statements?)'
32 )
33 or strings.icontains(body.current_thread.text,
34 "copy of a current statement"
35 )
36 or (
37 strings.icontains(body.current_thread.text, "please send all past due")
38 and strings.icontains(body.current_thread.text, "current invoices")
39 )
40 )
41 // suspicious link display text
42 or (
43 any(body.links,
44 regex.icontains(.display_text,
45 '(Payment|Remittance|Settlement|Transfer) ?Batch',
46 )
47 )
48 )
49 // suspicious sender display name
50 or (
51 regex.icontains(sender.display_name,
52 'Accounts? (?:Payable (?:Dep(\.|t\.?|artment)|e?Receipt)|(Co[[:punct:]]?ordinator|Admin|Manager|Payee))'
53 )
54 // sender email listed as a recipient or recipients undisclosed/null
55 and (
56 (
57 sender.email.email in map(recipients.to, .email.email)
58 or (length(recipients.to) == 0 or length(recipients.to) is null)
59 )
60 // non-benign nlu intent
61 or any(ml.nlu_classifier(body.current_thread.text).intents,
62 .name != "benign"
63 )
64 )
65 )
66 or (
67 any(ml.nlu_classifier(body.current_thread.text).intents,
68 .name == "cred_theft" and .confidence == "high"
69 )
70 and any(ml.nlu_classifier(body.current_thread.text).entities,
71 .name == "financial" and .text =~ "remittance"
72 )
73 )
74 )
75 // negate resume related/job inquiry outreach
76 and not (
77 any(ml.nlu_classifier(body.current_thread.text).topics,
78 .name == "Professional and Career Development" and .confidence == "high"
79 )
80 and any(ml.nlu_classifier(body.current_thread.text).intents,
81 .name == "benign" and .confidence != "low"
82 )
83 )
84 and (
85 (
86 sender.email.domain.root_domain in $high_trust_sender_root_domains
87 and not headers.auth_summary.dmarc.pass
88 )
89 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
90 )
91 and not profile.by_sender().any_messages_benign
92
93attack_types:
94 - "BEC/Fraud"
95tactics_and_techniques:
96 - "Free email provider"
97 - "Impersonation: Employee"
98 - "Impersonation: VIP"
99 - "Social engineering"
100detection_methods:
101 - "Content analysis"
102 - "Header analysis"
103 - "Sender analysis"
104id: "4ebdaa4d-4db2-56c6-9a6c-220ad49b7681"