← Back to Explore
sublimemediumRule
BEC: Financial fraud from newly registered sender domain
Detects inbound messages from domains registered less than 30 days ago that exhibit business email compromise intent with high-confidence financial or payment topics. The message must also contain explicit banking details such as account and routing numbers, invoice references, or payment urgency language, and must either fail DMARC on a trusted domain or originate from an untrusted domain.
Detection Query
type.inbound
and network.whois(sender.email.domain).days_old < 30
and any(ml.nlu_classifier(body.current_thread.text).intents, .name == "bec")
and (
any(ml.nlu_classifier(body.current_thread.text).topics,
.name in ("Financial Communications", "Payment Information")
and .confidence == "high"
)
)
and (
(
regex.icontains(body.current_thread.text,
'account\s*(?:number|num|no\.?)\s*:?\s*\d{5,}'
)
and regex.icontains(body.current_thread.text,
'(?:wire\s*)?routing\s*(?:number|num|no\.?)\s*:?\s*\d{5,}'
)
)
or regex.icontains(body.current_thread.text,
'invoice\s*(?:#|number|num|no\.?)\s*:?\s*[A-Z0-9-]{3,}',
'per\s+\w+.{0,5}s\s+request'
)
or strings.icontains(body.current_thread.text,
'due upon receipt',
'confirm receipt of invoice',
'see attached invoice'
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and not (
sender.email.domain.root_domain in $high_trust_sender_root_domains
and coalesce(headers.auth_summary.dmarc.pass, false)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "BEC: Financial fraud from newly registered sender domain"
description: "Detects inbound messages from domains registered less than 30 days ago that exhibit business email compromise intent with high-confidence financial or payment topics. The message must also contain explicit banking details such as account and routing numbers, invoice references, or payment urgency language, and must either fail DMARC on a trusted domain or originate from an untrusted domain."
type: "rule"
severity: "medium"
source: |
type.inbound
and network.whois(sender.email.domain).days_old < 30
and any(ml.nlu_classifier(body.current_thread.text).intents, .name == "bec")
and (
any(ml.nlu_classifier(body.current_thread.text).topics,
.name in ("Financial Communications", "Payment Information")
and .confidence == "high"
)
)
and (
(
regex.icontains(body.current_thread.text,
'account\s*(?:number|num|no\.?)\s*:?\s*\d{5,}'
)
and regex.icontains(body.current_thread.text,
'(?:wire\s*)?routing\s*(?:number|num|no\.?)\s*:?\s*\d{5,}'
)
)
or regex.icontains(body.current_thread.text,
'invoice\s*(?:#|number|num|no\.?)\s*:?\s*[A-Z0-9-]{3,}',
'per\s+\w+.{0,5}s\s+request'
)
or strings.icontains(body.current_thread.text,
'due upon receipt',
'confirm receipt of invoice',
'see attached invoice'
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and not (
sender.email.domain.root_domain in $high_trust_sender_root_domains
and coalesce(headers.auth_summary.dmarc.pass, false)
)
attack_types:
- "BEC/Fraud"
tactics_and_techniques:
- "Social engineering"
- "Spoofing"
detection_methods:
- "Natural Language Understanding"
- "Whois"
- "Content analysis"
- "Sender analysis"
- "Header analysis"
id: "4be9b165-975f-5587-b780-9441d1b30782"