diff --git a/detection-rules/francais_business_email_compromise_new_sender.yml b/detection-rules/francais_business_email_compromise_new_sender.yml new file mode 100644 index 00000000000..8b3417778e1 --- /dev/null +++ b/detection-rules/francais_business_email_compromise_new_sender.yml @@ -0,0 +1,59 @@ +name: "Business Email Compromise (BEC) attempt from untrusted sender (French/Français)" +description: "Detects potential Business Email Compromise (BEC) attacks by searching for common French BEC language within the email body from first-time senders." +type: "rule" +severity: "medium" +source: | + type.inbound + and length(body.links) == 0 + and ml.nlu_classifier(body.current_thread.text).language == "french" + and 1 of ( + regex.icontains(subject.subject, + '(mise (a|à) jour|changé|changement).{0,20}(bancaire|de banque)' + ), + regex.icontains(body.current_thread.text, + '(changement|changé) de (banque)|changement bancaire|coordonnées.{0,20}(compte|banque|bancaire|salaire)', + ), + (regex.icontains(body.current_thread.text, 'parler.{0,20}confiance')) + ) + // negating legit replies + and not ( + ( + strings.istarts_with(subject.subject, "RE:") + // out of office auto-reply + // the NLU model will handle these better natively soon + or strings.istarts_with(subject.subject, "Automatic reply:") + or regex.imatch(subject.subject, + '(\[[^\]]+\]\s?){0,3}(re|fwd?|automat.*)\s?:.*' + ) + ) + and ( + length(headers.references) > 0 + or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To"))) + ) + ) + and ( + not profile.by_sender().solicited + or ( + profile.by_sender().any_messages_malicious_or_spam + and not profile.by_sender().any_false_positives + ) + ) + + // negate highly trusted sender domains unless they fail DMARC authentication + and ( + ( + sender.email.domain.root_domain in $high_trust_sender_root_domains + and not headers.auth_summary.dmarc.pass + ) + or sender.email.domain.root_domain not in $high_trust_sender_root_domains + ) + +attack_types: + - "BEC/Fraud" +tactics_and_techniques: + - "Social engineering" +detection_methods: + - "Content analysis" + - "Header analysis" + - "Sender analysis" +id: "b7d1e096-d9cc-5a79-9753-5d9565794433"