sublimemediumRule

Link: RFI document reference pattern in display text

Detects links with display text containing RFI (Request for Information) document reference patterns using format RFI-###-###-###, commonly used in construction and procurement fraud schemes.

MITRE ATT&CK

T1566.002 T1534 T1656 T1566 T1598

initial-access

Detection Query

type.inbound
and any(body.current_thread.links,
        regex.icontains(.display_text, '\bRFI-\d{1,5}-\d{1,5}-\d{1,5}\b')
        and not regex.icontains(.display_text,
                                '\bRFI-\d{2}-\d{2}-\d{4}\b',
                                '\bRFI-\d{4}-\d{2}-\d{2}\b'
        )
)
and length(body.links) < 11

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

Raw Content

name: "Link: RFI document reference pattern in display text"
description: "Detects links with display text containing RFI (Request for Information) document reference patterns using format RFI-###-###-###, commonly used in construction and procurement fraud schemes."
type: "rule"
severity: "medium"
source: |
  type.inbound
  and any(body.current_thread.links,
          regex.icontains(.display_text, '\bRFI-\d{1,5}-\d{1,5}-\d{1,5}\b')
          and not regex.icontains(.display_text,
                                  '\bRFI-\d{2}-\d{2}-\d{4}\b',
                                  '\bRFI-\d{4}-\d{2}-\d{2}\b'
          )
  )
  and length(body.links) < 11
attack_types:
  - "BEC/Fraud"
tactics_and_techniques:
  - "Social engineering"
detection_methods:
  - "Content analysis"
  - "URL analysis"
id: "1ffcfc52-a023-585f-8f9f-d1cf16bdaed3"