Request for Quote or Purchase (RFQ|RFP) with suspicious sender or recipient pattern

calendar Aug 21, 2023  ·
Share on: linkedin copy

RFQ/RFP scams involve fraudulent emails posing as legitimate requests for quotations or purchases, often sent by scammers impersonating reputable organizations. These scams aim to deceive recipients into providing sensitive information or conducting unauthorized transactions, often leading to financial loss, or data leakage.

Sublime rule (View on GitHub)

 1name: "Request for Quote or Purchase (RFQ|RFP) with suspicious sender or recipient pattern"
 2description: |
 3  RFQ/RFP scams involve fraudulent emails posing as legitimate requests for quotations or purchases, often sent by scammers impersonating reputable organizations.
 4  These scams aim to deceive recipients into providing sensitive information or conducting unauthorized transactions, often leading to financial loss, or data leakage.  
 5type: "rule"
 6severity: "medium"
 7source: |
 8  type.inbound
 9  and 1 of (
10    (
11      (length(recipients.to) == 0 or all(recipients.to, .display_name == "Undisclosed recipients"))
12      and length(recipients.cc) == 0
13      and length(recipients.bcc) == 0
14    ),
15    (
16      sender.email.domain.root_domain in $free_email_providers
17      and any(headers.reply_to, .email.email != sender.email.email)
18      and any(headers.reply_to, .email.email not in $recipient_emails)
19    )
20  )
21  and 2 of (
22    (
23      regex.icontains(coalesce(body.html.display_text, body.plain.raw),
24                      '(discuss.{0,15}purchas(e|ing))'
25      )
26    ),
27    (
28      regex.icontains(coalesce(body.html.display_text, body.plain.raw),
29                      '(sign(ed?)|view).{0,10}(purchase order)|Request for a Quot(e|ation)'
30      )
31    ),
32    (regex.icontains(coalesce(body.html.display_text, body.plain.raw), '(please|kindly).{0,30}quote')),
33    (regex.icontains(subject.subject, '(request for (purchase|quot(e|ation))|\bRFQ\b|\bRFP\b)')),
34    (any(attachments, regex.icontains(.file_name, "(purchase.?order|Quot(e|ation))"))),
35    (
36      any(ml.nlu_classifier(coalesce(body.html.display_text, body.plain.raw)).entities,
37          .name == "request"
38      )
39      and any(ml.nlu_classifier(coalesce(body.html.display_text, body.plain.raw)).entities,
40              .name == "urgency"
41      )
42    ),
43    (
44      any(ml.nlu_classifier(coalesce(body.html.display_text, body.plain.raw)).tags,
45          .name == "purchase_order" and .confidence == "high"
46      )
47    )
48  )  
49attack_types:
50  - "BEC/Fraud"
51tactics_and_techniques:
52  - "Evasion"
53  - "Free email provider"
54detection_methods:
55  - "Content analysis"
56  - "Natural Language Understanding"
57  - "URL analysis"
58id: "2ac0d329-c1fb-5c87-98dd-ea3e5b85377a"
to-top