← Back to Explore
sublimelowRule
Suspicious display name: Gmail sender with engaging language
Detects Gmail senders using display names with suspicious language patterns commonly associated with social engineering tactics, including urgency indicators, contact requests, and verification prompts.
Detection Query
type.inbound
and 2 of (
strings.icontains(sender.display_name, "kindly"),
strings.icontains(sender.display_name, 'phone'),
strings.icontains(sender.display_name, 'cell'),
strings.icontains(sender.display_name, 'expedite'),
strings.icontains(sender.display_name, 'urgent'),
strings.icontains(sender.display_name, 'contact'),
strings.icontains(sender.display_name, 'review'),
strings.icontains(sender.display_name, 'confirm'),
strings.icontains(sender.display_name, 'asap'),
strings.icontains(sender.display_name, 'follow up'),
strings.icontains(sender.display_name, 'nicely'),
strings.icontains(sender.display_name, 'btc'),
strings.icontains(sender.display_name, 'reply'),
strings.icontains(sender.display_name, 'respond'),
strings.icontains(sender.display_name, 'verify'),
strings.icontains(sender.display_name, 'convenience'),
strings.icontains(sender.display_name, 'response'),
strings.icontains(sender.display_name, 'number'),
strings.icontains(sender.display_name, 'mobile'),
strings.icontains(sender.display_name, 'text'),
strings.icontains(sender.display_name, 'request'),
strings.icontains(sender.display_name, 'required'),
strings.icontains(sender.display_name, 'important'),
strings.icontains(sender.display_name, 'need'),
strings.icontains(sender.display_name, 'quick'),
strings.icontains(sender.display_name, 'sensitive'),
strings.icontains(sender.display_name, 'reach'),
strings.icontains(sender.display_name, 'action'),
(
strings.icontains(sender.display_name, 'monday')
or strings.icontains(sender.display_name, 'tuesday')
or strings.icontains(sender.display_name, 'wednesday')
or strings.icontains(sender.display_name, 'thursday')
or strings.icontains(sender.display_name, 'friday')
or strings.icontains(sender.display_name, 'saturday')
or strings.icontains(sender.display_name, 'sunday')
),
(
strings.icontains(sender.display_name, 'january')
or strings.icontains(sender.display_name, 'february')
or strings.icontains(sender.display_name, 'march')
or strings.icontains(sender.display_name, 'april')
or strings.icontains(sender.display_name, 'may')
or strings.icontains(sender.display_name, 'june')
or strings.icontains(sender.display_name, 'july')
or strings.icontains(sender.display_name, 'august')
or strings.icontains(sender.display_name, 'september')
or strings.icontains(sender.display_name, 'october')
or strings.icontains(sender.display_name, 'november')
or strings.icontains(sender.display_name, 'december')
)
)
and sender.email.domain.domain == 'gmail.com'
and length(attachments) == 0
and length(body.current_thread.links) == 0
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Suspicious display name: Gmail sender with engaging language"
description: "Detects Gmail senders using display names with suspicious language patterns commonly associated with social engineering tactics, including urgency indicators, contact requests, and verification prompts."
type: "rule"
severity: "low"
source: |
type.inbound
and 2 of (
strings.icontains(sender.display_name, "kindly"),
strings.icontains(sender.display_name, 'phone'),
strings.icontains(sender.display_name, 'cell'),
strings.icontains(sender.display_name, 'expedite'),
strings.icontains(sender.display_name, 'urgent'),
strings.icontains(sender.display_name, 'contact'),
strings.icontains(sender.display_name, 'review'),
strings.icontains(sender.display_name, 'confirm'),
strings.icontains(sender.display_name, 'asap'),
strings.icontains(sender.display_name, 'follow up'),
strings.icontains(sender.display_name, 'nicely'),
strings.icontains(sender.display_name, 'btc'),
strings.icontains(sender.display_name, 'reply'),
strings.icontains(sender.display_name, 'respond'),
strings.icontains(sender.display_name, 'verify'),
strings.icontains(sender.display_name, 'convenience'),
strings.icontains(sender.display_name, 'response'),
strings.icontains(sender.display_name, 'number'),
strings.icontains(sender.display_name, 'mobile'),
strings.icontains(sender.display_name, 'text'),
strings.icontains(sender.display_name, 'request'),
strings.icontains(sender.display_name, 'required'),
strings.icontains(sender.display_name, 'important'),
strings.icontains(sender.display_name, 'need'),
strings.icontains(sender.display_name, 'quick'),
strings.icontains(sender.display_name, 'sensitive'),
strings.icontains(sender.display_name, 'reach'),
strings.icontains(sender.display_name, 'action'),
(
strings.icontains(sender.display_name, 'monday')
or strings.icontains(sender.display_name, 'tuesday')
or strings.icontains(sender.display_name, 'wednesday')
or strings.icontains(sender.display_name, 'thursday')
or strings.icontains(sender.display_name, 'friday')
or strings.icontains(sender.display_name, 'saturday')
or strings.icontains(sender.display_name, 'sunday')
),
(
strings.icontains(sender.display_name, 'january')
or strings.icontains(sender.display_name, 'february')
or strings.icontains(sender.display_name, 'march')
or strings.icontains(sender.display_name, 'april')
or strings.icontains(sender.display_name, 'may')
or strings.icontains(sender.display_name, 'june')
or strings.icontains(sender.display_name, 'july')
or strings.icontains(sender.display_name, 'august')
or strings.icontains(sender.display_name, 'september')
or strings.icontains(sender.display_name, 'october')
or strings.icontains(sender.display_name, 'november')
or strings.icontains(sender.display_name, 'december')
)
)
and sender.email.domain.domain == 'gmail.com'
and length(attachments) == 0
and length(body.current_thread.links) == 0
attack_types:
- "BEC/Fraud"
- "Credential Phishing"
tactics_and_techniques:
- "Social engineering"
detection_methods:
- "Sender analysis"
id: "82ca0ff1-e823-5930-aa2d-7d2b572a528b"