EXPLORE
Sign In
← Back to Explore
sublimemediumRule

Investor solicitation with organization targeting

Detects messages targeting organizations with investment solicitations that specifically reference the recipient's organization by extracting the organization name and matching it to the recipient's email domain.

MITRE ATT&CK

T1566.002T1534T1656T1566T1598
initial-access

Detection Query

type.inbound
and (
  // subject contains recipient's org name
  any(recipients.to,
      strings.icontains(subject.subject, .email.domain.sld)
      and regex.imatch(.email.domain.sld, '.{2,}')
  )
  or
  // body extracts org name matching recipient domain
  any(regex.extract(body.current_thread.text,
                    '(?P<org>[a-zA-Z]{2,20})\s(?:recently\s)?came to our attention'
      ),
      any(recipients.to,
          strings.icontains(.email.domain.domain, ..named_groups["org"])
      )
  )
)
and any(headers.reply_to,
        .email.domain.root_domain != sender.email.domain.root_domain
)
// greeting uses recipient's email local_part
and any(recipients.to,
        (
          strings.icontains(body.current_thread.text,
                            strings.concat("Dear ", .email.local_part)
          )
          or any(regex.extract(.email.local_part, '^(?P<first>[^._]+)'),
                 strings.icontains(body.current_thread.text,
                                   strings.concat("Dear ",
                                                  .named_groups["first"]
                                   )
                 )
          )
        )
)
// financial/investment cold outreach language
and (
  2 of (
    strings.icontains(body.current_thread.text, "alternative investments"),
    strings.icontains(body.current_thread.text, "raising capital"),
    strings.icontains(body.current_thread.text, "came to our attention"),
    strings.icontains(body.current_thread.text, "private markets"),
    strings.icontains(body.current_thread.text, "fundraising"),
    strings.icontains(body.current_thread.text, "investment opportunities"),
    strings.icontains(body.current_thread.text, "introductory"),
    strings.icontains(body.current_thread.text, "commitment size"),
    strings.icontains(body.current_thread.text, "ultra-high-net-worth"),
    strings.icontains(body.current_thread.text, "deployed capital"),
    strings.icontains(body.current_thread.text, "value creation"),
    strings.icontains(body.current_thread.text, "capital planning")
  )
  or (
    any(ml.nlu_classifier(body.current_thread.text).topics,
        .name == "Financial Communications"
    )
    and any(ml.nlu_classifier(body.current_thread.text).topics,
            .name == "Out of Band Pivot"
    )
    and any(ml.nlu_classifier(body.current_thread.text).topics,
            .name == "B2B Cold Outreach"
    )
  )
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Investor solicitation with organization targeting"
description: "Detects messages targeting organizations with investment solicitations that specifically reference the recipient's organization by extracting the organization name and matching it to the recipient's email domain."
type: "rule"
severity: "medium"
source: |
  type.inbound
  and (
    // subject contains recipient's org name
    any(recipients.to,
        strings.icontains(subject.subject, .email.domain.sld)
        and regex.imatch(.email.domain.sld, '.{2,}')
    )
    or
    // body extracts org name matching recipient domain
    any(regex.extract(body.current_thread.text,
                      '(?P<org>[a-zA-Z]{2,20})\s(?:recently\s)?came to our attention'
        ),
        any(recipients.to,
            strings.icontains(.email.domain.domain, ..named_groups["org"])
        )
    )
  )
  and any(headers.reply_to,
          .email.domain.root_domain != sender.email.domain.root_domain
  )
  // greeting uses recipient's email local_part
  and any(recipients.to,
          (
            strings.icontains(body.current_thread.text,
                              strings.concat("Dear ", .email.local_part)
            )
            or any(regex.extract(.email.local_part, '^(?P<first>[^._]+)'),
                   strings.icontains(body.current_thread.text,
                                     strings.concat("Dear ",
                                                    .named_groups["first"]
                                     )
                   )
            )
          )
  )
  // financial/investment cold outreach language
  and (
    2 of (
      strings.icontains(body.current_thread.text, "alternative investments"),
      strings.icontains(body.current_thread.text, "raising capital"),
      strings.icontains(body.current_thread.text, "came to our attention"),
      strings.icontains(body.current_thread.text, "private markets"),
      strings.icontains(body.current_thread.text, "fundraising"),
      strings.icontains(body.current_thread.text, "investment opportunities"),
      strings.icontains(body.current_thread.text, "introductory"),
      strings.icontains(body.current_thread.text, "commitment size"),
      strings.icontains(body.current_thread.text, "ultra-high-net-worth"),
      strings.icontains(body.current_thread.text, "deployed capital"),
      strings.icontains(body.current_thread.text, "value creation"),
      strings.icontains(body.current_thread.text, "capital planning")
    )
    or (
      any(ml.nlu_classifier(body.current_thread.text).topics,
          .name == "Financial Communications"
      )
      and any(ml.nlu_classifier(body.current_thread.text).topics,
              .name == "Out of Band Pivot"
      )
      and any(ml.nlu_classifier(body.current_thread.text).topics,
              .name == "B2B Cold Outreach"
      )
    )
  )
attack_types:
  - "BEC/Fraud"
tactics_and_techniques:
  - "Social engineering"
detection_methods:
  - "Content analysis"
id: "3b2165c9-7c3d-5cce-a3ec-778e7895d653"