EXPLORE
← Back to Explore
sublimemediumRule

BEC/Fraud: Unsolicited business acquisition offer

Detects inbound messages with subjects referencing an offer to purchase, combined with body content mentioning private equity, acquiring companies, or discussing an opportunity. These messages are characteristic of fraudulent or unsolicited business acquisition solicitations designed to engage targets in fraudulent financial dealings.

MITRE ATT&CK

initial-access

Detection Query

type.inbound
and strings.icontains(subject.base,
                      "Offer to Purchase",
                      "Transaction Opportunity"
)
and (
  strings.icontains(body.plain.raw,
                    "private equity",
                    "acquiring companies",
                    "discuss the opportunity",
                    "pe firm"
  )
  or (
    any(ml.nlu_classifier(body.current_thread.text).entities,
        .name == "financial" and strings.icontains(.text, "purchase")
    )
    and any(ml.nlu_classifier(body.current_thread.text).topics,
            .name == "B2B Cold Outreach" and .confidence == "high"
    )
  )
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "BEC/Fraud: Unsolicited business acquisition offer"
description: "Detects inbound messages with subjects referencing an offer to purchase, combined with body content mentioning private equity, acquiring companies, or discussing an opportunity. These messages are characteristic of fraudulent or unsolicited business acquisition solicitations designed to engage targets in fraudulent financial dealings."
type: "rule"
severity: "medium"
source: |
  type.inbound
  and strings.icontains(subject.base,
                        "Offer to Purchase",
                        "Transaction Opportunity"
  )
  and (
    strings.icontains(body.plain.raw,
                      "private equity",
                      "acquiring companies",
                      "discuss the opportunity",
                      "pe firm"
    )
    or (
      any(ml.nlu_classifier(body.current_thread.text).entities,
          .name == "financial" and strings.icontains(.text, "purchase")
      )
      and any(ml.nlu_classifier(body.current_thread.text).topics,
              .name == "B2B Cold Outreach" and .confidence == "high"
      )
    )
  )
attack_types:
  - "BEC/Fraud"
tactics_and_techniques:
  - "Social engineering"
detection_methods:
  - "Content analysis"
id: "b79e655b-5b3f-5857-9849-39de16937a51"