Tax Form: W-8BEN solicitation
Detects messages containing references to W-8BEN tax forms, commonly used in tax-related fraud schemes targeting individuals and businesses.
Sublime rule (View on GitHub)
1name: "Tax Form: W-8BEN solicitation"
2description: "Detects messages containing references to W-8BEN tax forms, commonly used in tax-related fraud schemes targeting individuals and businesses."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and (
8 // few links
9 0 < length(body.links) < 20
10 and any(body.links, network.whois(.href_url.domain).days_old <= 60)
11 // fewer unique root domain links
12 and length(distinct(body.links, .href_url.domain.root_domain)) < 10
13 // sender domain matches no body domains
14 and all(body.links,
15 .href_url.domain.root_domain != sender.email.domain.root_domain
16 )
17 )
18
19 // sender domain and return path are the same
20 and (sender.email.domain.root_domain == headers.return_path.domain.domain)
21 and not (sender.email.domain.root_domain != headers.return_path.domain.domain)
22 and (
23 regex.icontains(subject.subject, ".*Foreign Tax*")
24 or regex.icontains(subject.subject, ".*W-8BEN*")
25 )
26 // or any([body.current_thread.text, body.html.display_text, body.plain.raw],
27 and any([body.current_thread.text],
28 regex.icontains(.,
29 'tax form',
30 'W-8BEN',
31 'Foreign Tax',
32 'tax return',
33 'tax preparation',
34 'tax documentation',
35 'regulatory',
36 'withholding',
37 'approve',
38 'non-US tax',
39 'treaty',
40 'Renew Documentation',
41 'Dear Client'
42 )
43 )
44
45 // Registrant domain registered to China
46 and (
47 any(body.links,
48 network.whois(.href_url.domain).registrant_country_code =~ "CN"
49 )
50 or any(body.links,
51 strings.icontains(network.whois(.href_url.domain).registrant_country,
52 "china"
53 )
54 )
55 )
56
57 // Alibaba Cloud nameservers
58 and all(network.whois(sender.email.domain).name_servers,
59 .root_domain == "hichina.com"
60 )
61
62attack_types:
63 - "BEC/Fraud"
64 - "Credential Phishing"
65tactics_and_techniques:
66 - "Social engineering"
67detection_methods:
68 - "Content analysis"
69 - "Header analysis"
70 - "URL analysis"
71id: "a64edb69-4913-5330-84cf-2d2561967acf"