← Back to Explore
sublimemediumRule
BEC/Fraud: Fake investment outreach from suspicious TLD
Detects fake investment solicitation emails using "Investment into {company}" subject lines from suspicious TLDs. This campaign targets businesses with templated cold outreach purporting to represent family offices or private equity firms, using disposable domains with DGA-like characteristics.
Detection Query
type.inbound
and strings.istarts_with(subject.base, 'investment into')
and sender.email.domain.tld in $suspicious_tlds
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Tags
Attack surface reduction
Raw Content
name: "BEC/Fraud: Fake investment outreach from suspicious TLD"
description: |
Detects fake investment solicitation emails using "Investment into {company}"
subject lines from suspicious TLDs. This campaign targets businesses with
templated cold outreach purporting to represent family offices or private
equity firms, using disposable domains with DGA-like characteristics.
type: "rule"
severity: "medium"
source: |
type.inbound
and strings.istarts_with(subject.base, 'investment into')
and sender.email.domain.tld in $suspicious_tlds
tags:
- "Attack surface reduction"
attack_types:
- "BEC/Fraud"
tactics_and_techniques:
- "Social engineering"
detection_methods:
- "Header analysis"
- "Sender analysis"
- "Content analysis"
id: "5d4c4a15-661c-5fd1-9d5f-1c72c8230be8"