From 0ba9d69596b82a219bd51273e2b0799aa64461c0 Mon Sep 17 00:00:00 2001 From: Sublime Rule Testing Bot Date: Tue, 21 Nov 2023 00:37:20 +0000 Subject: [PATCH] Sync from PR#1004 New Rule: BEC/Fraud: PenPal Scam by @morriscode https://github.com/sublime-security/sublime-rules/pull/1004 Source SHA 5c170e5c384f56452015fdb0b13c5a5f5120bbe2 Triggered by @jkamdjou --- detection-rules/bec_fraud_penpal_scam.yml | 59 +++++++++++++++++++++++ 1 file changed, 59 insertions(+) create mode 100644 detection-rules/bec_fraud_penpal_scam.yml diff --git a/detection-rules/bec_fraud_penpal_scam.yml b/detection-rules/bec_fraud_penpal_scam.yml new file mode 100644 index 00000000000..973cf496d1f --- /dev/null +++ b/detection-rules/bec_fraud_penpal_scam.yml @@ -0,0 +1,59 @@ +name: "BEC/Fraud: PenPal Scam" +description: "This rule detects messages from individuals looking to establish contact under the guise of seeking friendship or a penpal relationship. Over time, they build trust and then exploit this relationship by asking for money, personal information, or involvement in suspicious activities." +type: "rule" +severity: "medium" +source: | + type.inbound + + // the sender or the reply-to is a freemail provider + and ( + sender.email.domain.domain in $free_email_providers + or any(headers.reply_to, + .email.domain.root_domain in $free_email_providers + and not sender.email.domain.root_domain in $free_email_providers + ) + ) + + // body contains pen ?pal + and regex.contains(body.current_thread.text, 'pen\s?pal') + + // not a reply + and ( + length(headers.references) == 0 + or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To"))) + ) + + // new sender + and ( + ( + profile.by_sender().prevalence in ("new", "outlier") + and not profile.by_sender().solicited + ) + or profile.by_sender().any_messages_malicious_or_spam + ) + and not profile.by_sender().any_false_positives + + // negate highly trusted sender domains unless they fail DMARC authentication + and ( + ( + sender.email.domain.root_domain in $high_trust_sender_root_domains + and ( + any(distinct(headers.hops, .authentication_results.dmarc is not null), + strings.ilike(.authentication_results.dmarc, "*fail") + ) + ) + ) + or sender.email.domain.root_domain not in $high_trust_sender_root_domains + ) +attack_types: + - "BEC/Fraud" +tactics_and_techniques: + - "Free email provider" + - "Social engineering" +detection_methods: + - "Content analysis" + - "Header analysis" + - "Sender analysis" +id: "a4bdfa17-7527-5ee2-a27b-44d03e190773" +testing_pr: 1004 +testing_sha: 5c170e5c384f56452015fdb0b13c5a5f5120bbe2