← Back to Explore
sublimelowRule
Spam: Fake dating profile notification
Detects dating-themed messages from free email providers containing links with the recipient's email address embedded in URL parameters, combined with suspicious language or topics in the message body.
Detection Query
type.inbound
and sender.email.domain.root_domain in $free_email_providers
// not a reply
and length(headers.references) == 0
and 0 < length(distinct(body.current_thread.links, .href_url.domain.root_domain)
) <= 3
and any(body.links,
(
any(values(.href_url.query_params_decoded),
any(.,
strings.parse_email(.).email in map(recipients.to,
.email.email
)
)
)
)
or regex.icontains(.display_text,
'(?:(open|view|read|private).{0,15}message)'
)
or any([.href_url.path, .display_text],
any((ml.nlu_classifier(.).topics),
.name in ("Romance", "Sexually Explicit Messages")
)
)
// visit the URL and check the effecitve url
or any(values(ml.link_analysis(.).effective_url.query_params_decoded),
any(.,
strings.parse_email(.).email in map(recipients.to,
.email.email
)
)
)
)
and (
any(ml.nlu_classifier(body.current_thread.text).entities,
.name == "org"
and strings.ilike(.text,
"*Flirt*",
"*Singles*",
"*Date*",
"*Dating*",
"*Girls*",
"*Love*",
"*Hook*up*"
)
)
or any(ml.nlu_classifier(body.current_thread.text).topics, .name == "Romance")
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Spam: Fake dating profile notification"
description: "Detects dating-themed messages from free email providers containing links with the recipient's email address embedded in URL parameters, combined with suspicious language or topics in the message body."
type: "rule"
severity: "low"
source: |
type.inbound
and sender.email.domain.root_domain in $free_email_providers
// not a reply
and length(headers.references) == 0
and 0 < length(distinct(body.current_thread.links, .href_url.domain.root_domain)
) <= 3
and any(body.links,
(
any(values(.href_url.query_params_decoded),
any(.,
strings.parse_email(.).email in map(recipients.to,
.email.email
)
)
)
)
or regex.icontains(.display_text,
'(?:(open|view|read|private).{0,15}message)'
)
or any([.href_url.path, .display_text],
any((ml.nlu_classifier(.).topics),
.name in ("Romance", "Sexually Explicit Messages")
)
)
// visit the URL and check the effecitve url
or any(values(ml.link_analysis(.).effective_url.query_params_decoded),
any(.,
strings.parse_email(.).email in map(recipients.to,
.email.email
)
)
)
)
and (
any(ml.nlu_classifier(body.current_thread.text).entities,
.name == "org"
and strings.ilike(.text,
"*Flirt*",
"*Singles*",
"*Date*",
"*Dating*",
"*Girls*",
"*Love*",
"*Hook*up*"
)
)
or any(ml.nlu_classifier(body.current_thread.text).topics, .name == "Romance")
)
attack_types:
- "Spam"
tactics_and_techniques:
- "Free email provider"
- "Social engineering"
detection_methods:
- "Content analysis"
- "Header analysis"
- "Natural Language Understanding"
- "Sender analysis"
- "URL analysis"
id: "0f33fea2-1508-5ae8-a31b-9d498dfcadba"