BEC/Fraud: Penpal scam

name: "BEC/Fraud: Penpal scam"
description: "This rule detects messages from individuals looking to establish contact under the guise of seeking friendship or a penpal relationship. Over time, they build trust and then exploit this relationship by asking for money, personal information, or involvement in suspicious activities."
type: "rule"
severity: "medium"
source: |
  type.inbound
  
  // the sender or the reply-to is a freemail provider
  and (
    sender.email.domain.domain in $free_email_providers
    or any(headers.reply_to,
           .email.domain.root_domain in $free_email_providers
           and not sender.email.domain.root_domain in $free_email_providers
    )
  )
  
  // body contains pen ?pal
  and regex.contains(body.current_thread.text, 'pen\s?pal')
  
  // and NLU Request
  and any(ml.nlu_classifier(body.current_thread.text).entities,
          .name == "request"
  )
  
  // not a reply
  and (
    length(headers.references) == 0
    or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
  )
  
  // new sender
  and (
    (
      profile.by_sender().prevalence in ("new", "outlier")
      and not profile.by_sender().solicited
    )
    or profile.by_sender().any_messages_malicious_or_spam
  )
  and not profile.by_sender().any_messages_benign
  
  // negate highly trusted sender domains unless they fail DMARC authentication
  and (
    (
      sender.email.domain.root_domain in $high_trust_sender_root_domains
      and not headers.auth_summary.dmarc.pass
    )
    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
  )

attack_types:
  - "BEC/Fraud"
tactics_and_techniques:
  - "Free email provider"
  - "Social engineering"
detection_methods:
  - "Content analysis"
  - "Header analysis"
  - "Sender analysis"
id: "a4bdfa17-7527-5ee2-a27b-44d03e190773"