Tax Form: W-8BEN solicitation

calendar Feb 23, 2026  ยท
Share on: linkedin copy

Detects messages containing references to W-8BEN tax forms, commonly used in tax-related fraud schemes targeting individuals and businesses.

Sublime rule (View on GitHub)

 1name: "Tax Form: W-8BEN solicitation"
 2description: "Detects messages containing references to W-8BEN tax forms, commonly used in tax-related fraud schemes targeting individuals and businesses."
 3type: "rule"
 4severity: "medium"
 5source: |
 6   type.inbound
 7   and (
 8     // few links
 9     0 < length(body.links) < 20
10     and any(body.links, network.whois(.href_url.domain).days_old <= 60)
11     // fewer unique root domain links
12     and length(distinct(body.links, .href_url.domain.root_domain)) < 10
13     // sender domain matches no body domains
14     and all(body.links,
15             .href_url.domain.root_domain != sender.email.domain.root_domain
16     )
17   )
18   
19   // sender domain and return path are the same
20   and (sender.email.domain.root_domain == headers.return_path.domain.domain)
21   and not (sender.email.domain.root_domain != headers.return_path.domain.domain)
22   and (
23     regex.icontains(subject.subject, ".*Foreign Tax*")
24     or regex.icontains(subject.subject, ".*W-8BEN*")
25   )
26   // or any([body.current_thread.text, body.html.display_text, body.plain.raw],
27   and any([body.current_thread.text],
28           regex.icontains(.,
29                           'tax form',
30                           'W-8BEN',
31                           'Foreign Tax',
32                           'tax return',
33                           'tax preparation',
34                           'tax documentation',
35                           'regulatory',
36                           'withholding',
37                           'approve',
38                           'non-US tax',
39                           'treaty',
40                           'Renew Documentation',
41                           'Dear Client'
42           )
43   )
44   
45   // Registrant domain registered to China
46   and (
47     any(body.links,
48         network.whois(.href_url.domain).registrant_country_code =~ "CN"
49     )
50     or any(body.links,
51            strings.icontains(network.whois(.href_url.domain).registrant_country,
52                              "china"
53            )
54     )
55   )
56   
57   // Alibaba Cloud nameservers
58   and all(network.whois(sender.email.domain).name_servers,
59           .root_domain == "hichina.com"
60   )   
61
62attack_types:
63  - "BEC/Fraud"
64  - "Credential Phishing"
65tactics_and_techniques:
66  - "Social engineering"
67detection_methods:
68  - "Content analysis"
69  - "Header analysis"
70  - "URL analysis"
71id: "a64edb69-4913-5330-84cf-2d2561967acf"
to-top