EXPLORE
Sign In
← Back to Explore
sublimemediumRule

Spam: Ghostwriting services scam with manipulative language

Detects unsolicited messages promoting ghostwriting or book publishing services that use manipulative language patterns commonly seen in scams, such as offering complimentary samples, expressing fascination with the recipient's achievements, or requesting personal information under the guise of writing assistance.

MITRE ATT&CK

T1566T1598
initial-access

Detection Query

type.inbound
and length(body.current_thread.text) < 1500
and (
  // Ghostwriting and book-related terms in subject
  strings.icontains(subject.subject, "book project")
  or strings.icontains(subject.subject, "ghostwriting")
  or strings.icontains(subject.subject, "becoming an author")
  or strings.icontains(subject.subject, "your book")
  or strings.icontains(subject.subject, "writing project")
  or strings.icontains(subject.subject, "publish")
  or strings.icontains(subject.subject, " author ")

  // Body contains ghostwriting service offers
  or strings.icontains(body.current_thread.text, "ghostwriting")
  or strings.icontains(body.current_thread.text, "ghostwriter")
  or strings.icontains(body.current_thread.text, "writing firm")
  or strings.icontains(body.current_thread.text, "book writing")
  or strings.icontains(body.current_thread.text, "publishing")
)
// Common scam language patterns
and (
  (
    strings.icontains(body.current_thread.text, "complimentary")
    and (
      strings.icontains(body.current_thread.text, "sample")
      or strings.icontains(body.current_thread.text, "chapter")
      or strings.icontains(body.current_thread.text, "consultation")
    )
  )
  or (
    strings.icontains(body.current_thread.text, "fascinated")
    and strings.icontains(body.current_thread.text, "what you have done")
  )
  or strings.icontains(body.current_thread.text, "inspiring stories")
  or strings.icontains(body.current_thread.text, "gather some information")
  or strings.icontains(body.current_thread.text, "few minutes of your time")
  or strings.icontains(body.current_thread.text, "absolutely no obligation")
  or strings.icontains(body.current_thread.text, "writing team")
)
and not (
  any(ml.nlu_classifier(body.current_thread.text).topics,
      .name in (
        "Newsletters and Digests",
        "Events and Webinars",
        "Educational and Research",
        "Financial Communications",
        "Advertising and Promotions",
        "Legal and Compliance",
        "Professional and Career Development"
      )
      and .confidence == "high"
  )
)

// Standard negations
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Spam: Ghostwriting services scam with manipulative language"
description: "Detects unsolicited messages promoting ghostwriting or book publishing services that use manipulative language patterns commonly seen in scams, such as offering complimentary samples, expressing fascination with the recipient's achievements, or requesting personal information under the guise of writing assistance."
type: "rule"
severity: "medium"
source: |
  type.inbound
  and length(body.current_thread.text) < 1500
  and (
    // Ghostwriting and book-related terms in subject
    strings.icontains(subject.subject, "book project")
    or strings.icontains(subject.subject, "ghostwriting")
    or strings.icontains(subject.subject, "becoming an author")
    or strings.icontains(subject.subject, "your book")
    or strings.icontains(subject.subject, "writing project")
    or strings.icontains(subject.subject, "publish")
    or strings.icontains(subject.subject, " author ")
  
    // Body contains ghostwriting service offers
    or strings.icontains(body.current_thread.text, "ghostwriting")
    or strings.icontains(body.current_thread.text, "ghostwriter")
    or strings.icontains(body.current_thread.text, "writing firm")
    or strings.icontains(body.current_thread.text, "book writing")
    or strings.icontains(body.current_thread.text, "publishing")
  )
  // Common scam language patterns
  and (
    (
      strings.icontains(body.current_thread.text, "complimentary")
      and (
        strings.icontains(body.current_thread.text, "sample")
        or strings.icontains(body.current_thread.text, "chapter")
        or strings.icontains(body.current_thread.text, "consultation")
      )
    )
    or (
      strings.icontains(body.current_thread.text, "fascinated")
      and strings.icontains(body.current_thread.text, "what you have done")
    )
    or strings.icontains(body.current_thread.text, "inspiring stories")
    or strings.icontains(body.current_thread.text, "gather some information")
    or strings.icontains(body.current_thread.text, "few minutes of your time")
    or strings.icontains(body.current_thread.text, "absolutely no obligation")
    or strings.icontains(body.current_thread.text, "writing team")
  )
  and not (
    any(ml.nlu_classifier(body.current_thread.text).topics,
        .name in (
          "Newsletters and Digests",
          "Events and Webinars",
          "Educational and Research",
          "Financial Communications",
          "Advertising and Promotions",
          "Legal and Compliance",
          "Professional and Career Development"
        )
        and .confidence == "high"
    )
  )
  
  // Standard negations
  and (
    (
      sender.email.domain.root_domain in $high_trust_sender_root_domains
      and not headers.auth_summary.dmarc.pass
    )
    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
  )

attack_types:
  - "Spam"
tactics_and_techniques:
  - "Social engineering"
detection_methods:
  - "Content analysis"
  - "Sender analysis"
id: "b747c3ea-509e-5a0d-ab00-3376cf7ba68b"