Honorific greeting BEC attempt with sender and reply-to mismatch

name: "Honorific greeting BEC attempt with sender and reply-to mismatch"
description: |
  Detects generic BEC/Fraud scams by analyzing text within the email body from mismatched senders with other suspicious indicators.
type: "rule"
severity: "low"
source: |
  type.inbound
  // mismatched sender (From) and Reply-to + freemail
  and any(headers.reply_to,
          length(headers.reply_to) > 0
          and all(headers.reply_to,
                  .email.domain.root_domain != sender.email.domain.root_domain
                  and .email.domain.root_domain in $free_email_providers
          )
  )
  
  // use of honorific
  and regex.icontains(body.current_thread.text,
                      '(?:Mr|Mrs|Ms|Miss|Dr|Prof|Sir|Lady|Rev)\.?[ \t]+'
  )
  
  // BEC-themed language
  and (
    any(ml.nlu_classifier(body.current_thread.text).intents,
        .name in ("bec", "advance_fee")
    )
    and any(ml.nlu_classifier(body.current_thread.text).entities,
            .name == "request"
    )
  )
  
  // negate highly trusted sender domains unless they fail DMARC authentication
  and (
    (
      sender.email.domain.root_domain in $high_trust_sender_root_domains
      and not headers.auth_summary.dmarc.pass
    )
    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
  )
  and (
    (
      profile.by_sender().prevalence in ("new", "outlier")
      and not profile.by_sender().solicited
    )
    or (
      profile.by_sender().any_messages_malicious_or_spam
      and not profile.by_sender().any_messages_benign
    )
  )
  and not profile.by_sender().any_messages_benign
attack_types:
  - "BEC/Fraud"
tactics_and_techniques:
  - "Free email provider"
  - "Social engineering"
detection_methods:
  - "Content analysis"
  - "Header analysis"
  - "Natural Language Understanding"
  - "Sender analysis"
id: "aa41b1b7-155c-5812-b431-25ac415538a6"