EXPLORE
Sign In
← Back to Explore
sublimemediumRule

Advance Fee Fraud (AFF) from freemail provider or suspicious TLD

Advance Fee Fraud (AFF) is a type of BEC/Fraud involving upfront fees for promised future returns, such as lottery scams, inheritance payouts, and investment opportunities. This rule identifies messages from Freemail domains or suspicious TLDS, including those with suspicious reply-to addresses. It utilizes Natural Language Understanding to detect AFF language in their contents.

MITRE ATT&CK

T1566.002T1534T1656T1566T1598
initial-access

Detection Query

type.inbound
and (
  sender.email.domain.domain in $free_email_providers
  or (
    length(headers.reply_to) > 0
    and all(headers.reply_to,
            (
              .email.domain.root_domain in $free_email_providers
              or .email.domain.tld in $suspicious_tlds
            )
            and .email.email != sender.email.email
    )
  )
  or sender.email.domain.tld in $suspicious_tlds
  or strings.iends_with(sender.email.domain.tld, ".jp")
)
and (
  any(ml.nlu_classifier(body.current_thread.text).intents,
      .name == "advance_fee" and .confidence in ("medium", "high")
  )
  or (
    length(body.current_thread.text) < 200
    and regex.icontains(body.current_thread.text,
                        '(donation|inheritence|\$\d,\d{3}\,\d{3}|lottery)'
    )
    and not regex.icontains(body.current_thread.text,
                            '(closed.{0,50})?\$\d,\d{3}\,\d{3}.{0,100}(homes|realty|sale)?'
    )
    and not any(body.links,
                regex.icontains(.href_url.url,
                                '(donation|inheritence|\$\d,\d{3}\,\d{3}|lottery)'
                )
    )
    and (
      (
        (
          length(headers.references) > 0
          or not any(headers.hops,
                     any(.fields, strings.ilike(.name, "In-Reply-To"))
          )
        )
        and not (
          (
            strings.istarts_with(subject.subject, "RE:")
            // out of office auto-reply
            or strings.istarts_with(subject.subject, "Automatic reply:")
            or strings.istarts_with(subject.subject, "R:")
            or strings.istarts_with(subject.subject, "ODG:")
            or strings.istarts_with(subject.subject, "答复:")
            or strings.istarts_with(subject.subject, "AW:")
            or strings.istarts_with(subject.subject, "TR:")
            or strings.istarts_with(subject.subject, "FWD:")
            or regex.icontains(subject.subject,
                               '^(\[[^\]]+\]\s?){0,3}(re|fwd?)\s?:'
            )
          )
        )
      )
      or any(headers.reply_to, .email.email != sender.email.email)
    )
  )
)
and (
  not profile.by_sender().solicited
  or profile.by_sender().any_messages_malicious_or_spam
)
and not profile.by_sender().any_messages_benign

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Advance Fee Fraud (AFF) from freemail provider or suspicious TLD"
description: |
  Advance Fee Fraud (AFF) is a type of BEC/Fraud involving upfront fees for promised
  future returns, such as lottery scams, inheritance payouts, and investment opportunities.
  This rule identifies messages from Freemail domains or suspicious TLDS, including those
  with suspicious reply-to addresses. It utilizes Natural Language Understanding to detect
  AFF language in their contents.
type: "rule"
severity: "medium"
source: |
  type.inbound
  and (
    sender.email.domain.domain in $free_email_providers
    or (
      length(headers.reply_to) > 0
      and all(headers.reply_to,
              (
                .email.domain.root_domain in $free_email_providers
                or .email.domain.tld in $suspicious_tlds
              )
              and .email.email != sender.email.email
      )
    )
    or sender.email.domain.tld in $suspicious_tlds
    or strings.iends_with(sender.email.domain.tld, ".jp")
  )
  and (
    any(ml.nlu_classifier(body.current_thread.text).intents,
        .name == "advance_fee" and .confidence in ("medium", "high")
    )
    or (
      length(body.current_thread.text) < 200
      and regex.icontains(body.current_thread.text,
                          '(donation|inheritence|\$\d,\d{3}\,\d{3}|lottery)'
      )
      and not regex.icontains(body.current_thread.text,
                              '(closed.{0,50})?\$\d,\d{3}\,\d{3}.{0,100}(homes|realty|sale)?'
      )
      and not any(body.links,
                  regex.icontains(.href_url.url,
                                  '(donation|inheritence|\$\d,\d{3}\,\d{3}|lottery)'
                  )
      )
      and (
        (
          (
            length(headers.references) > 0
            or not any(headers.hops,
                       any(.fields, strings.ilike(.name, "In-Reply-To"))
            )
          )
          and not (
            (
              strings.istarts_with(subject.subject, "RE:")
              // out of office auto-reply
              or strings.istarts_with(subject.subject, "Automatic reply:")
              or strings.istarts_with(subject.subject, "R:")
              or strings.istarts_with(subject.subject, "ODG:")
              or strings.istarts_with(subject.subject, "答复:")
              or strings.istarts_with(subject.subject, "AW:")
              or strings.istarts_with(subject.subject, "TR:")
              or strings.istarts_with(subject.subject, "FWD:")
              or regex.icontains(subject.subject,
                                 '^(\[[^\]]+\]\s?){0,3}(re|fwd?)\s?:'
              )
            )
          )
        )
        or any(headers.reply_to, .email.email != sender.email.email)
      )
    )
  )
  and (
    not profile.by_sender().solicited
    or profile.by_sender().any_messages_malicious_or_spam
  )
  and not profile.by_sender().any_messages_benign
attack_types:
  - "BEC/Fraud"
tactics_and_techniques:
  - "Social engineering"
detection_methods:
  - "Content analysis"
  - "Header analysis"
  - "Natural Language Understanding"
  - "Sender analysis"
id: "6a5af373-a97b-5013-aeec-42ac8b4b8ba1"