← Back to Explore
sublimelowRule
Spam: Sexually explicit content with emoji in subject from freemail provider
Detects messages from free email providers that contain sexually explicit content and include emojis in the subject line.
Detection Query
type.inbound
// sender is a freemail domain
and sender.email.domain.root_domain in $free_email_providers
// look for commonly used emojis in sexually explicit messages
and regex.icontains(subject.subject,
'(\x{1F346}|\x{1F608}|\x{1F609}|\x{1F351}|\x{2764}|\x{1F60D}|\x{1F618}|\x{1F48B}|\x{1F63B}|\x{1F445}|\x{1F51E}|\x{1F525}|\x{1F4F7})'
)
and any(ml.nlu_classifier(body.current_thread.text).topics,
.name == 'Sexually Explicit Messages'
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Spam: Sexually explicit content with emoji in subject from freemail provider"
description: "Detects messages from free email providers that contain sexually explicit content and include emojis in the subject line."
type: "rule"
severity: "low"
source: |
type.inbound
// sender is a freemail domain
and sender.email.domain.root_domain in $free_email_providers
// look for commonly used emojis in sexually explicit messages
and regex.icontains(subject.subject,
'(\x{1F346}|\x{1F608}|\x{1F609}|\x{1F351}|\x{2764}|\x{1F60D}|\x{1F618}|\x{1F48B}|\x{1F63B}|\x{1F445}|\x{1F51E}|\x{1F525}|\x{1F4F7})'
)
and any(ml.nlu_classifier(body.current_thread.text).topics,
.name == 'Sexually Explicit Messages'
)
attack_types:
- "Spam"
tactics_and_techniques:
- "Free email provider"
- "Social engineering"
detection_methods:
- "Content analysis"
- "Header analysis"
- "Natural Language Understanding"
- "Sender analysis"
id: "4a2326d4-7f22-5a0c-9f91-6e302ee1987a"