← Back to Explore
sublimehighRule
Scam: Fake estate sale offering welding equipment and tools
Detects fraudulent messages impersonating someone selling inherited or estate items, specifically targeting welding equipment, power tools, and machinery. These messages typically claim items are from a deceased relative's estate or due to relocation, require shipping arrangements, and use emotional manipulation to appear legitimate while requesting contact through alternative channels.
Detection Query
length(body.current_thread.links) < 10
and length(body.current_thread.text) < 3000
and (
regex.icontains(body.current_thread.text,
'(?:Miller|Lincoln\s*Electric|Hobart|ESAB|Fronius|Everlast|Hypertherm|Thermal\s*Dynamics)\s*[^\r\n]{0,50}(?:\bwelder\b|\bwelding\b|\bTIG\b|\bMIG\b|plasma\s*cutter)',
'(?:\bwelder\b|\bwelding\b|\bTIG\b|\bMIG\b|plasma\s*cutter)\s*[^\r\n]{0,50}(?:Miller|Lincoln\s*Electric|Hobart|ESAB|Fronius|Everlast|Hypertherm|Thermal\s*Dynamics)'
)
or regex.icontains(body.current_thread.text,
'(?:Caterpillar|\bCAT\b|John\s*Deere|Kubota|Bobcat|Honda|Generac|Stihl|Husqvarna|\bToro\b)\s*[^\r\n]{0,50}(?:\bgenerator\b|\bchainsaw\b|\bexcavator\b|\bskid\s*steer\b|\btractor\b|\bmower\b|\bloader\b|\bbackhoe\b)'
)
or regex.icontains(body.current_thread.text,
'(?:welding\s*tools|power\s*tools|tool\s+(?:box|chest|set|kit|collection)|toolbox|toolchest)\s*[^\r\n]{0,50}(?:available|sale|rehome|gift|giving\s*away|free)',
'(?:available|sale|rehome|gift|giving\s*away|free)\s*[^\r\n]{0,50}(?:welding\s*tools|power\s*tools|tool\s+(?:box|chest|set|kit|collection)|toolbox|toolchest)'
)
or strings.ilike(body.current_thread.text,
'*welding tools*',
'*tools and accessories*'
)
or (
length(regex.extract(body.current_thread.text,
'(?i)(?:generator|refrigerator|trailer|tractor|lawnmower|mower|washer|dryer|freezer|treadmill|peloton|vanity|dresser|couch|sectional|kennel|mattress|bed\s*frame|hot\s*tub|golf\s*cart|tv|gazebo|loveseat|dishwasher|microwave|kitchenaid|rolex|watch|honda|toyota|ford|chevy|jeep|kubota|bobcat|polaris|kawasaki|macbook|iphone|playstation|ps5|xbox|canon|sony|dji|piano|keyboard|guitar|violin)\b[^\r\n]{0,30}(?:\(\s*\d{2,5}\s*\)|\$\s*\d{2,5}|\bfor\s+\$?\d{2,5})'
)
) >= 5
and regex.icontains(body.current_thread.text,
'late (?:husband|father|dad|wife|mother|mom)',
'(?:husband|father|dad|wife|mother|mom)[^\r\n]{0,50}estate'
)
)
)
and (
regex.icontains(body.current_thread.text,
'late (?:husband|father|dad|wife|mother|mom)',
'(?:husband|father|dad|wife|mother|mom)[^\r\n]{0,50}estate',
'inherited instruments',
'just lost (?:her|his|their) (?:husband|father|dad|wife|mother|mom)'
)
or strings.ilike(body.current_thread.text,
'* downsizing *',
'* relocating soon *',
'* to relocate *',
'*prepares to relocate*',
'*relocate with*family*'
)
or strings.ilike(body.current_thread.text,
'*sponsored*giveaway*',
'*giveaway*sponsored*',
'* generously offering *',
'* generous offer *',
'*a loving home*',
'*a good home*',
'*find a new home *',
'*rehome these instruments *',
'* free donation*'
)
or regex.icontains(body.current_thread.text,
'giv\w+\s+away\s+(?:her|his|their|my|our)\s+(?:late|deceased|dad|father|mother|husband|wife)',
'giv\w+\s+away\s+(?:her|his|their|my|our)[^\r\n]{0,40}(?:tool|welder|welding|equipment|instrument|machine)'
)
or strings.ilike(body.current_thread.text,
'*generous opportunity*',
'*who needs a reliable*',
'*comprehensive set of tools*',
'*top-of-the-line machine*'
)
)
and (
regex.icontains(body.current_thread.text,
'shipping (?:fee|cost|arrangement)',
'(?:responsible|pay) for shipping',
'no (?:local\s)?pick.?up',
'(?:local\s)?pick.?up.{0,50}not available',
'delivery only',
'moving company'
)
or strings.ilike(body.current_thread.text,
'* if you will take it *',
'* or have someone *',
'* indicate your interest *',
'* to someone you know *',
'* know someone who *',
'* someone you know would *',
'* someone who will *',
'* someone who truly *',
'* anyone you know *'
)
or regex.icontains(body.current_thread.text,
'if you[^\r\n]{0,20}(?:(?:might|will|would) be|are)[^\r\n]{0,20}interested',
'(?:any|some)one[^\r\n]{0,20}(is|will|would|might be)[^\r\n]{0,20}interested',
'who (?:will|would|might) appreciate'
)
or (
any(regex.extract(body.current_thread.text,
"[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\.[A-Za-z]{2,}"
),
strings.parse_email(.full_match).domain.domain in $free_email_providers
or strings.parse_email(.full_match).domain.root_domain in $free_email_providers
)
or (
length(headers.reply_to) > 0
and sender.email.email not in map(headers.reply_to, .email.email)
)
or length(recipients.to) == 0
or regex.icontains(body.current_thread.text,
'(?:call|contact|text)[^\r\n]{0,50} at'
)
or regex.icontains(body.current_thread.text,
'(?:private|personal|primary) (?:e-?)?mail'
)
or strings.icontains(body.current_thread.text,
'happy to answer any questions you may have'
)
or strings.icontains(body.current_thread.text, ' kindly ')
or strings.icontains(body.current_thread.text, ' (kindly ')
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Scam: Fake estate sale offering welding equipment and tools"
description: "Detects fraudulent messages impersonating someone selling inherited or estate items, specifically targeting welding equipment, power tools, and machinery. These messages typically claim items are from a deceased relative's estate or due to relocation, require shipping arrangements, and use emotional manipulation to appear legitimate while requesting contact through alternative channels."
type: "rule"
severity: "high"
source: |
length(body.current_thread.links) < 10
and length(body.current_thread.text) < 3000
and (
regex.icontains(body.current_thread.text,
'(?:Miller|Lincoln\s*Electric|Hobart|ESAB|Fronius|Everlast|Hypertherm|Thermal\s*Dynamics)\s*[^\r\n]{0,50}(?:\bwelder\b|\bwelding\b|\bTIG\b|\bMIG\b|plasma\s*cutter)',
'(?:\bwelder\b|\bwelding\b|\bTIG\b|\bMIG\b|plasma\s*cutter)\s*[^\r\n]{0,50}(?:Miller|Lincoln\s*Electric|Hobart|ESAB|Fronius|Everlast|Hypertherm|Thermal\s*Dynamics)'
)
or regex.icontains(body.current_thread.text,
'(?:Caterpillar|\bCAT\b|John\s*Deere|Kubota|Bobcat|Honda|Generac|Stihl|Husqvarna|\bToro\b)\s*[^\r\n]{0,50}(?:\bgenerator\b|\bchainsaw\b|\bexcavator\b|\bskid\s*steer\b|\btractor\b|\bmower\b|\bloader\b|\bbackhoe\b)'
)
or regex.icontains(body.current_thread.text,
'(?:welding\s*tools|power\s*tools|tool\s+(?:box|chest|set|kit|collection)|toolbox|toolchest)\s*[^\r\n]{0,50}(?:available|sale|rehome|gift|giving\s*away|free)',
'(?:available|sale|rehome|gift|giving\s*away|free)\s*[^\r\n]{0,50}(?:welding\s*tools|power\s*tools|tool\s+(?:box|chest|set|kit|collection)|toolbox|toolchest)'
)
or strings.ilike(body.current_thread.text,
'*welding tools*',
'*tools and accessories*'
)
or (
length(regex.extract(body.current_thread.text,
'(?i)(?:generator|refrigerator|trailer|tractor|lawnmower|mower|washer|dryer|freezer|treadmill|peloton|vanity|dresser|couch|sectional|kennel|mattress|bed\s*frame|hot\s*tub|golf\s*cart|tv|gazebo|loveseat|dishwasher|microwave|kitchenaid|rolex|watch|honda|toyota|ford|chevy|jeep|kubota|bobcat|polaris|kawasaki|macbook|iphone|playstation|ps5|xbox|canon|sony|dji|piano|keyboard|guitar|violin)\b[^\r\n]{0,30}(?:\(\s*\d{2,5}\s*\)|\$\s*\d{2,5}|\bfor\s+\$?\d{2,5})'
)
) >= 5
and regex.icontains(body.current_thread.text,
'late (?:husband|father|dad|wife|mother|mom)',
'(?:husband|father|dad|wife|mother|mom)[^\r\n]{0,50}estate'
)
)
)
and (
regex.icontains(body.current_thread.text,
'late (?:husband|father|dad|wife|mother|mom)',
'(?:husband|father|dad|wife|mother|mom)[^\r\n]{0,50}estate',
'inherited instruments',
'just lost (?:her|his|their) (?:husband|father|dad|wife|mother|mom)'
)
or strings.ilike(body.current_thread.text,
'* downsizing *',
'* relocating soon *',
'* to relocate *',
'*prepares to relocate*',
'*relocate with*family*'
)
or strings.ilike(body.current_thread.text,
'*sponsored*giveaway*',
'*giveaway*sponsored*',
'* generously offering *',
'* generous offer *',
'*a loving home*',
'*a good home*',
'*find a new home *',
'*rehome these instruments *',
'* free donation*'
)
or regex.icontains(body.current_thread.text,
'giv\w+\s+away\s+(?:her|his|their|my|our)\s+(?:late|deceased|dad|father|mother|husband|wife)',
'giv\w+\s+away\s+(?:her|his|their|my|our)[^\r\n]{0,40}(?:tool|welder|welding|equipment|instrument|machine)'
)
or strings.ilike(body.current_thread.text,
'*generous opportunity*',
'*who needs a reliable*',
'*comprehensive set of tools*',
'*top-of-the-line machine*'
)
)
and (
regex.icontains(body.current_thread.text,
'shipping (?:fee|cost|arrangement)',
'(?:responsible|pay) for shipping',
'no (?:local\s)?pick.?up',
'(?:local\s)?pick.?up.{0,50}not available',
'delivery only',
'moving company'
)
or strings.ilike(body.current_thread.text,
'* if you will take it *',
'* or have someone *',
'* indicate your interest *',
'* to someone you know *',
'* know someone who *',
'* someone you know would *',
'* someone who will *',
'* someone who truly *',
'* anyone you know *'
)
or regex.icontains(body.current_thread.text,
'if you[^\r\n]{0,20}(?:(?:might|will|would) be|are)[^\r\n]{0,20}interested',
'(?:any|some)one[^\r\n]{0,20}(is|will|would|might be)[^\r\n]{0,20}interested',
'who (?:will|would|might) appreciate'
)
or (
any(regex.extract(body.current_thread.text,
"[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\.[A-Za-z]{2,}"
),
strings.parse_email(.full_match).domain.domain in $free_email_providers
or strings.parse_email(.full_match).domain.root_domain in $free_email_providers
)
or (
length(headers.reply_to) > 0
and sender.email.email not in map(headers.reply_to, .email.email)
)
or length(recipients.to) == 0
or regex.icontains(body.current_thread.text,
'(?:call|contact|text)[^\r\n]{0,50} at'
)
or regex.icontains(body.current_thread.text,
'(?:private|personal|primary) (?:e-?)?mail'
)
or strings.icontains(body.current_thread.text,
'happy to answer any questions you may have'
)
or strings.icontains(body.current_thread.text, ' kindly ')
or strings.icontains(body.current_thread.text, ' (kindly ')
)
)
attack_types:
- "BEC/Fraud"
tactics_and_techniques:
- "Social engineering"
- "Free email provider"
- "Out of band pivot"
detection_methods:
- "Content analysis"
- "Sender analysis"
- "Header analysis"
id: "44cb8704-7756-5d8a-817e-a038c693ae08"