EXPLORE
← Back to Explore
sublimemediumRule

Link: Remittance payment request with timeline template

Detects messages containing references to business days and account information with links containing 'remittance' in the URL path, commonly used in financial fraud schemes. This rule is looking at a specific template we're seeing in use with a expedited timeline.

MITRE ATT&CK

initial-access

Detection Query

type.inbound
and strings.icontains(body.plain.raw, "business days")
and strings.icontains(body.plain.raw, "account")
and any(filter(body.links,
               .href_url.domain.root_domain not in $tranco_10k
               or (
                 .href_url.domain.root_domain in $tranco_10k
                 and (
                   .href_url.domain.domain in $self_service_creation_platform_domains
                   or .href_url.domain.root_domain in $self_service_creation_platform_domains
                   or .href_url.domain.root_domain in $free_file_hosts
                   or .href_url.domain.domain in $free_file_hosts
                 )
               )
        ),
        strings.icontains(.href_url.path, "remittance")
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Link: Remittance payment request with timeline template"
description: "Detects messages containing references to business days and account information with links containing 'remittance' in the URL path, commonly used in financial fraud schemes. This rule is looking at a specific template we're seeing in use with a expedited timeline."
type: "rule"
severity: "medium"
source: |
  type.inbound
  and strings.icontains(body.plain.raw, "business days")
  and strings.icontains(body.plain.raw, "account")
  and any(filter(body.links,
                 .href_url.domain.root_domain not in $tranco_10k
                 or (
                   .href_url.domain.root_domain in $tranco_10k
                   and (
                     .href_url.domain.domain in $self_service_creation_platform_domains
                     or .href_url.domain.root_domain in $self_service_creation_platform_domains
                     or .href_url.domain.root_domain in $free_file_hosts
                     or .href_url.domain.domain in $free_file_hosts
                   )
                 )
          ),
          strings.icontains(.href_url.path, "remittance")
  )
attack_types:
  - "BEC/Fraud"
  - "Credential Phishing"
tactics_and_techniques:
  - "Social engineering"
detection_methods:
  - "Content analysis"
  - "URL analysis"
id: "10dde1bf-480e-589b-95a3-3f81b811b667"