EXPLORE
Sign In
← Back to Explore
sublimelowRule

BEC/Fraud: Scam lure with freemail pivot

This message detects BEC/Fraud lures attempting to solicit the victim to pivot out of band via a freemail address in the body.

MITRE ATT&CK

T1566.002T1534T1656

Detection Query

type.inbound

// body is short
and length(body.current_thread.text) < 800

// one recipient
and length(recipients.to) == 1

// all recipients are the sender
and all(recipients.to,
        .email.email == sender.email.email
        and (
          .email.domain.valid or strings.icontains(.display_name, "undisclosed")
        )
)

// not an org domain
and all(recipients.to,
        .email.domain.root_domain not in $org_domains
        and (
          .email.domain.valid or strings.icontains(.display_name, "undisclosed")
        )
)

// one link
and length(body.links) == 1

// links don't match sender
and all(body.links,
        .href_url.domain.root_domain != sender.email.domain.root_domain
)

// scam indicators
and regex.icontains(body.current_thread.text,
                    '((?:Mr|Mrs|Ms|Miss|Dr|Prof|Sir|Lady|Rev)\.?[ \t]+)|(sir|madam|kindly)|(dringend|eingefordert|anspruch)'
)

// body contains an email address to a freemail provider
and (
  regex.contains(body.current_thread.text,
                 "[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\.[A-Za-z]{2,}"
  )
  and any($free_email_providers, strings.icontains(body.current_thread.text, .))
)

// new and unsolicited and no malicious or FP's
and (
  (
    profile.by_sender().prevalence in ("new", "outlier")
    and not profile.by_sender().solicited
  )
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_messages_benign
  )
)
and not profile.by_sender().any_messages_benign

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "BEC/Fraud: Scam lure with freemail pivot"
description: "This message detects BEC/Fraud lures attempting to solicit the victim to pivot out of band via a freemail address in the body."
type: "rule"
severity: "low"
source: |
  type.inbound
  
  // body is short
  and length(body.current_thread.text) < 800
  
  // one recipient
  and length(recipients.to) == 1
  
  // all recipients are the sender
  and all(recipients.to,
          .email.email == sender.email.email
          and (
            .email.domain.valid or strings.icontains(.display_name, "undisclosed")
          )
  )
  
  // not an org domain
  and all(recipients.to,
          .email.domain.root_domain not in $org_domains
          and (
            .email.domain.valid or strings.icontains(.display_name, "undisclosed")
          )
  )
  
  // one link
  and length(body.links) == 1
  
  // links don't match sender
  and all(body.links,
          .href_url.domain.root_domain != sender.email.domain.root_domain
  )
  
  // scam indicators
  and regex.icontains(body.current_thread.text,
                      '((?:Mr|Mrs|Ms|Miss|Dr|Prof|Sir|Lady|Rev)\.?[ \t]+)|(sir|madam|kindly)|(dringend|eingefordert|anspruch)'
  )
  
  // body contains an email address to a freemail provider
  and (
    regex.contains(body.current_thread.text,
                   "[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\.[A-Za-z]{2,}"
    )
    and any($free_email_providers, strings.icontains(body.current_thread.text, .))
  )
  
  // new and unsolicited and no malicious or FP's
  and (
    (
      profile.by_sender().prevalence in ("new", "outlier")
      and not profile.by_sender().solicited
    )
    or (
      profile.by_sender().any_messages_malicious_or_spam
      and not profile.by_sender().any_messages_benign
    )
  )
  and not profile.by_sender().any_messages_benign
attack_types:
  - "BEC/Fraud"
tactics_and_techniques:
  - "Free email provider"
  - "Out of band pivot"
detection_methods:
  - "Content analysis"
  - "Header analysis"
  - "Sender analysis"
id: "898c769f-45a4-5561-8d51-be765addcf1d"