Request for Quote or Purchase (RFQ|RFP) with suspicious sender or recipient pattern
RFQ/RFP scams involve fraudulent emails posing as legitimate requests for quotations or purchases, often sent by scammers impersonating reputable organizations. These scams aim to deceive recipients into providing sensitive information or conducting unauthorized transactions, often leading to financial loss, or data leakage.
Sublime rule (View on GitHub)
1name: "Request for Quote or Purchase (RFQ|RFP) with suspicious sender or recipient pattern"
2description: |
3 RFQ/RFP scams involve fraudulent emails posing as legitimate requests for quotations or purchases, often sent by scammers impersonating reputable organizations.
4 These scams aim to deceive recipients into providing sensitive information or conducting unauthorized transactions, often leading to financial loss, or data leakage.
5type: "rule"
6severity: "medium"
7source: |
8 type.inbound
9 and 1 of (
10 (
11 (
12 length(recipients.to) == 0
13 or all(recipients.to, .display_name == "Undisclosed recipients")
14 )
15 and length(recipients.cc) == 0
16 and length(recipients.bcc) == 0
17 ),
18 (
19 sender.email.domain.root_domain in $free_email_providers
20 and any(headers.reply_to, .email.email != sender.email.email)
21 and any(headers.reply_to, .email.email not in $recipient_emails)
22 ),
23 (
24 length(headers.reply_to) > 0
25 and all(headers.reply_to,
26 .email.domain.root_domain != sender.email.domain.root_domain
27 )
28 )
29 )
30 and (
31 2 of (
32 (
33 regex.icontains(body.current_thread.text,
34 '(discuss.{0,15}purchas(e|ing))'
35 )
36 ),
37 (
38 regex.icontains(body.current_thread.text,
39 '(sign(ed?)|view).{0,10}(purchase order)|Request for a Quot(e|ation)'
40 )
41 ),
42 (regex.icontains(body.current_thread.text, '(please|kindly).{0,30}quote')),
43 (
44 regex.icontains(subject.subject,
45 '(request for (purchase|quot(e|ation))|\bRFQ\b|\bRFP\b)'
46 )
47 ),
48 (
49 any(attachments,
50 regex.icontains(.file_name, "(purchase.?order|Quot(e|ation))")
51 )
52 ),
53 (
54 any(ml.nlu_classifier(body.current_thread.text).entities,
55 .name == "request"
56 )
57 and any(ml.nlu_classifier(body.current_thread.text).entities,
58 .name == "urgency"
59 )
60 ),
61 (
62 any(ml.nlu_classifier(body.current_thread.text).tags,
63 .name == "purchase_order" and .confidence == "high"
64 )
65 ),
66 )
67 or (
68 length(attachments) == 1
69 and length(body.current_thread.text) < 100
70 and all(attachments,
71 .file_type in $file_types_images
72 and any(file.explode(.),
73 2 of (
74 regex.icontains(.scan.ocr.raw,
75 '(discuss.{0,15}purchas(e|ing))'
76 ),
77 regex.icontains(.scan.ocr.raw,
78 '(sign(ed?)|view).{0,10}(purchase order)|Request for a Quot(e|ation)'
79 ),
80 regex.icontains(.scan.ocr.raw,
81 '(please|kindly).{0,30}quote'
82 ),
83 (
84 any(ml.nlu_classifier(.scan.ocr.raw).entities,
85 .name == "request"
86 )
87 and any(ml.nlu_classifier(.scan.ocr.raw).entities,
88 .name == "urgency"
89 )
90 ),
91 any(ml.nlu_classifier(.scan.ocr.raw).tags,
92 .name == "purchase_order" and .confidence == "high"
93 )
94 )
95 )
96 )
97 )
98 )
99
100 // negate highly trusted sender domains unless they fail DMARC authentication
101 and (
102 (
103 sender.email.domain.root_domain in $high_trust_sender_root_domains
104 and not headers.auth_summary.dmarc.pass
105 )
106 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
107 )
108 and not profile.by_sender().solicited
109 and not profile.by_sender().any_false_positives
110
111attack_types:
112 - "BEC/Fraud"
113tactics_and_techniques:
114 - "Evasion"
115 - "Free email provider"
116detection_methods:
117 - "Content analysis"
118 - "Natural Language Understanding"
119 - "URL analysis"
120id: "2ac0d329-c1fb-5c87-98dd-ea3e5b85377a"