← Back to Explore
sublimemediumRule
Invoice from freemail sender (unsolicited)
An invoice from a freemail sender your organization has never sent an email to before.
Detection Query
type.inbound
and strings.ilike(subject.subject, "*invoice*")
and sender.email.domain.root_domain in $free_email_providers
// Unsolicited (has my organization ever sent an email to this sender?)
and (
(
sender.email.domain.root_domain in $free_email_providers
and sender.email.email not in $recipient_emails
)
or (
sender.email.domain.root_domain not in $free_email_providers
and sender.email.domain.domain not in $recipient_domains
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Tags
Invoice fraud
Raw Content
name: "Invoice from freemail sender (unsolicited)"
description: |
An invoice from a freemail sender your organization has never sent an email to before.
type: "rule"
severity: "medium"
source: |
type.inbound
and strings.ilike(subject.subject, "*invoice*")
and sender.email.domain.root_domain in $free_email_providers
// Unsolicited (has my organization ever sent an email to this sender?)
and (
(
sender.email.domain.root_domain in $free_email_providers
and sender.email.email not in $recipient_emails
)
or (
sender.email.domain.root_domain not in $free_email_providers
and sender.email.domain.domain not in $recipient_domains
)
)
tags:
- "Invoice fraud"