Request for Quote or Purchase (RFQ|RFP) with suspicious sender or recipient pattern

RFQ/RFP scams involve fraudulent emails posing as legitimate requests for quotations or purchases, often sent by scammers impersonating reputable organizations. These scams aim to deceive recipients into providing sensitive information or conducting unauthorized transactions, often leading to financial loss, or data leakage.

Sublime rule (View on GitHub)

 1name: "Request for Quote or Purchase (RFQ|RFP) with suspicious sender or recipient pattern"
 2description: |
 3  RFQ/RFP scams involve fraudulent emails posing as legitimate requests for quotations or purchases, often sent by scammers impersonating reputable organizations.
 4  These scams aim to deceive recipients into providing sensitive information or conducting unauthorized transactions, often leading to financial loss, or data leakage.  
 5type: "rule"
 6severity: "medium"
 7source: |
 8  type.inbound
 9  and 1 of (
10    (
11      (length(recipients.to) == 0 or all(recipients.to, .display_name == "Undisclosed recipients"))
12      and length(recipients.cc) == 0
13      and length(recipients.bcc) == 0
14    ),
15    (
16      sender.email.domain.root_domain in $free_email_providers
17      and any(headers.reply_to, .email.email != sender.email.email)
18      and any(headers.reply_to, .email.email not in $recipient_emails)
19    )
20  )
21  and 2 of (
22    (
23      regex.icontains(body.current_thread.text,
24                      '(discuss.{0,15}purchas(e|ing))'
25      )
26    ),
27    (
28      regex.icontains(body.current_thread.text,
29                      '(sign(ed?)|view).{0,10}(purchase order)|Request for a Quot(e|ation)'
30      )
31    ),
32    (regex.icontains(body.current_thread.text, '(please|kindly).{0,30}quote')),
33    (regex.icontains(subject.subject, '(request for (purchase|quot(e|ation))|\bRFQ\b|\bRFP\b)')),
34    (any(attachments, regex.icontains(.file_name, "(purchase.?order|Quot(e|ation))"))),
35    (
36      any(ml.nlu_classifier(body.current_thread.text).entities,
37          .name == "request"
38      )
39      and any(ml.nlu_classifier(body.current_thread.text).entities,
40              .name == "urgency"
41      )
42    ),
43    (
44      any(ml.nlu_classifier(body.current_thread.text).tags,
45          .name == "purchase_order" and .confidence == "high"
46      )
47    )
48  )
49
50  // negate highly trusted sender domains unless they fail DMARC authentication
51  and (
52    (
53      sender.email.domain.root_domain in $high_trust_sender_root_domains
54      and not headers.auth_summary.dmarc.pass
55    )
56    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
57  )
58
59  and not profile.by_sender().solicited
60  and not profile.by_sender().any_false_positives  
61attack_types:
62  - "BEC/Fraud"
63tactics_and_techniques:
64  - "Evasion"
65  - "Free email provider"
66detection_methods:
67  - "Content analysis"
68  - "Natural Language Understanding"
69  - "URL analysis"
70id: "2ac0d329-c1fb-5c87-98dd-ea3e5b85377a"
to-top