← Back to Explore
sublimemediumRule
Body: PayApp transaction reference pattern
Detects messages containing PayApp transaction reference numbers in a specific format (PayApp# followed by digits) in either the message body or subject line.
Detection Query
type.inbound
and regex.icontains(body.current_thread.text, 'PayApp\s?#\d+')
and regex.icontains(body.current_thread.text, '[a-z0-9\.\+\-]+@[a-z0-9\-]+\.')
and strings.icontains(subject.base, "payapp")
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Body: PayApp transaction reference pattern"
description: "Detects messages containing PayApp transaction reference numbers in a specific format (PayApp# followed by digits) in either the message body or subject line."
type: "rule"
severity: "medium"
source: |
type.inbound
and regex.icontains(body.current_thread.text, 'PayApp\s?#\d+')
and regex.icontains(body.current_thread.text, '[a-z0-9\.\+\-]+@[a-z0-9\-]+\.')
and strings.icontains(subject.base, "payapp")
attack_types:
- "Callback Phishing"
- "BEC/Fraud"
tactics_and_techniques:
- "Impersonation: Brand"
- "Social engineering"
detection_methods:
- "Content analysis"
id: "2dc8b3cd-d6d7-52fb-a296-b2840333925b"