Skip to content

Commit

Permalink
Sync from PR#2225
Browse files Browse the repository at this point in the history
Create bec_urgent_suspicious_patterns.yml by @aidenmitchell
#2225
Source SHA 9edb1c4
Triggered by @aidenmitchell
  • Loading branch information
Sublime Rule Testing Bot committed Dec 13, 2024
1 parent 051c795 commit dfc75c7
Showing 1 changed file with 62 additions and 0 deletions.
62 changes: 62 additions & 0 deletions detection-rules/bec_urgent_suspicious_patterns.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
name: "BEC/Fraud: Urgent Language and Suspicious Sending/Infrastructure Patterns"
description: "Identifies inbound messages using urgent language patterns and sender behavioral traits common in social manipulation. Combines multiple indicators including urgent subject lines, characteristic message content, short message length, and suspicious sender attributes."
type: "rule"
severity: "medium"
source: |
type.inbound
and 3 of (
// urgent subjects
strings.ilike(subject.subject, '*quick question*'),
strings.ilike(subject.subject, '*urgent*request*'),
strings.ilike(subject.subject, '*are you available*'),
strings.ilike(subject.subject, '*need assistance*'),
strings.ilike(subject.subject, '*help*needed*'),
// BEC body patterns
strings.ilike(body.current_thread.text, '*sorry to bother*'),
strings.ilike(body.current_thread.text, '*are you busy*'),
strings.ilike(body.current_thread.text, '*can you help*'),
strings.ilike(body.current_thread.text, '*do you have a moment*'),
strings.ilike(body.current_thread.text, '*please respond*asap*'),
// brand name
strings.ilike(body.current_thread.text, '*amaz*n*'), // Catches "Amaz on", "Amazon", etc.
strings.ilike(body.current_thread.text, '*pay*pal*'),
strings.ilike(body.current_thread.text, '*app*le*'),
// short body
length(body.current_thread.text) < 200,
strings.count(body.current_thread.text, ' ') < 30
)
and 3 of (
// suspicious sender
sender.email.domain.root_domain in $free_email_providers,
network.whois(sender.email.domain).days_old < 30,
// suspicious recipient pattern
any(recipients.to, strings.ilike(.display_name, 'undisclosed?recipients')),
length(recipients.to) == 1, // Single recipient
// header checks
strings.starts_with(headers.mailer, 'Open-Xchange Mailer'),
strings.ilike(headers.x_originating_ip.ip, '*.*.*.0'), // Common in some BEC campaigns
)
and profile.by_sender_email().prevalence not in ("common")
attack_types:
- "BEC/Fraud"
- "Callback Phishing"
- "Spam"
tactics_and_techniques:
- "Impersonation: Brand"
- "Social engineering"
- "Free email provider"
detection_methods:
- "Content analysis"
- "Header analysis"
- "Sender analysis"
- "Whois"
id: "ba8a79e0-cce3-57e8-bbc7-3b3d9f848761"
testing_pr: 2225
testing_sha: 9edb1c46ffa36447bcbcebc1dd73df99ec44e4e1

0 comments on commit dfc75c7

Please sign in to comment.