Skip to content

Commit

Permalink
Sync from PR#2022
Browse files Browse the repository at this point in the history 
Update spam_attendee_list_solicitation.yml by @morriscode
#2022
Source SHA 2b0f654
Triggered by @morriscode
  • Loading branch information
Sublime Rule Testing Bot committed Oct 18, 2024
1 parent bcb33ef commit d3947bc
Showing 1 changed file with 98 additions and 0 deletions.
98 changes: 98 additions & 0 deletions detection-rules/spam_attendee_list_solicitation.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,98 @@
name: "Spam: Attendee List solicitation"
description: "This rule detects messages claiming to have the attendee list from a specific event, they may list various information such as the number of contacts, the demographic and sample contacts. The messages typically offer to send pricing information upon request."
type: "rule"
severity: "low"
source: |
type.inbound
and length(body.current_thread.text) < 2000
and length(body.links) < 5
and (
(
(
any([subject.subject, body.current_thread.text],
(
regex.icontains(.,
'(Attendee|Buyer|Contact|Decision Maker|Email|Member|Participant|Professional|Registrant|User|Visitor)(s)?(\s\w*){0,9}(list(s|\b)|database)'
)
and not (
regex.icount(., "email list") == 1
and regex.icontains(.,
'(?:unsub|remove)(\s\w*){0,5}email list',
'email list(\s\w*){0,5}(?:unsub|remove)'
)
)
)
or regex.icontains(.,
'(list|database)(\s\w*){0,9}(Attendee|Buyer|Contact|Decision Maker|Email|Member|Participant|Professional|Registrant|User|Visitor)(s)?'
)
or strings.icontains(., 'list of ')
)
)
and regex.icontains(body.current_thread.text,
"(interested|accessing|purchas|obtain|acuir|sample)"
)
and not regex.icontains(body.current_thread.text,
"(debit card|transaction.{0,20}processed)"
)
)
// if there are indicators of a previous thread, also inspect the previous thread
or (
// contains references to the previous thread
2 of (
regex.icontains(body.current_thread.text, '(?:get|got|had) a chance'),
regex.icontains(body.current_thread.text,
'(?:below|previous|last|prior) email'
),
regex.icontains(body.current_thread.text, 'follow(?:ing)? up'),
regex.icontains(body.current_thread.text, '(contacts?|attendees?) list'),
strings.icontains(body.current_thread.text, 'heard back'),
)
and any([body.html.display_text, body.plain.raw],
(
3 of (
strings.icontains(., "from:"),
strings.icontains(., "to:"),
strings.icontains(., "sent:"),
strings.icontains(., "date:"),
strings.icontains(., "cc:"),
strings.icontains(., "subject:")
)
or strings.icontains(.,
strings.concat(sender.display_name,
" <",
sender.email.email,
"> wrote:"
)
)
)
// match _after_ the previous thread indciators
and (
regex.icontains(.,
'(from|to|sent|date|cc|subject|wrote):.*(Attendee|Buyer|Contact|Decision Maker|Email|Member|Participant|Professional|Registrant|User|Visitor)(s)?(\s\w*){0,9}(list|database)'
)
or regex.icontains(.,
'(from|to|sent|date|cc|subject|wrote):.*(list|database)(\s\w*){0,9}(Attendee|Buyer|Contact|Decision Maker|Email|Member|Participant|Professional|Registrant|User|Visitor)(s)?'
)
or (
2 of (
strings.icontains(., "provide counts"),
regex.icontains(., "(?:verified|fresh) data"),
strings.icontains(., "precise targeting"),
strings.icontains(., "deliverability")
)
and regex.icontains(., "(?:list|database)")
)
)
)
)
)
tags:
- "Attack surface reduction"
attack_types:
- "Spam"
detection_methods:
- "Content analysis"
- "Sender analysis"
id: "69715b62-7747-5f85-a399-dc72c3f8cb7d"
testing_pr: 2022
testing_sha: 2b0f6540329b7d6311fb6274255e7a0007ab1b31

0 comments on commit d3947bc

Please sign in to comment.