-
Notifications
You must be signed in to change notification settings - Fork 50
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Create bec_urgent_suspicious_patterns.yml by @aidenmitchell #2225 Source SHA 9edb1c4 Triggered by @aidenmitchell
- Loading branch information
Sublime Rule Testing Bot
committed
Dec 13, 2024
1 parent
051c795
commit dfc75c7
Showing
1 changed file
with
62 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,62 @@ | ||
name: "BEC/Fraud: Urgent Language and Suspicious Sending/Infrastructure Patterns" | ||
description: "Identifies inbound messages using urgent language patterns and sender behavioral traits common in social manipulation. Combines multiple indicators including urgent subject lines, characteristic message content, short message length, and suspicious sender attributes." | ||
type: "rule" | ||
severity: "medium" | ||
source: | | ||
type.inbound | ||
and 3 of ( | ||
// urgent subjects | ||
strings.ilike(subject.subject, '*quick question*'), | ||
strings.ilike(subject.subject, '*urgent*request*'), | ||
strings.ilike(subject.subject, '*are you available*'), | ||
strings.ilike(subject.subject, '*need assistance*'), | ||
strings.ilike(subject.subject, '*help*needed*'), | ||
// BEC body patterns | ||
strings.ilike(body.current_thread.text, '*sorry to bother*'), | ||
strings.ilike(body.current_thread.text, '*are you busy*'), | ||
strings.ilike(body.current_thread.text, '*can you help*'), | ||
strings.ilike(body.current_thread.text, '*do you have a moment*'), | ||
strings.ilike(body.current_thread.text, '*please respond*asap*'), | ||
// brand name | ||
strings.ilike(body.current_thread.text, '*amaz*n*'), // Catches "Amaz on", "Amazon", etc. | ||
strings.ilike(body.current_thread.text, '*pay*pal*'), | ||
strings.ilike(body.current_thread.text, '*app*le*'), | ||
// short body | ||
length(body.current_thread.text) < 200, | ||
strings.count(body.current_thread.text, ' ') < 30 | ||
) | ||
and 3 of ( | ||
// suspicious sender | ||
sender.email.domain.root_domain in $free_email_providers, | ||
network.whois(sender.email.domain).days_old < 30, | ||
// suspicious recipient pattern | ||
any(recipients.to, strings.ilike(.display_name, 'undisclosed?recipients')), | ||
length(recipients.to) == 1, // Single recipient | ||
// header checks | ||
strings.starts_with(headers.mailer, 'Open-Xchange Mailer'), | ||
strings.ilike(headers.x_originating_ip.ip, '*.*.*.0'), // Common in some BEC campaigns | ||
) | ||
and profile.by_sender_email().prevalence not in ("common") | ||
attack_types: | ||
- "BEC/Fraud" | ||
- "Callback Phishing" | ||
- "Spam" | ||
tactics_and_techniques: | ||
- "Impersonation: Brand" | ||
- "Social engineering" | ||
- "Free email provider" | ||
detection_methods: | ||
- "Content analysis" | ||
- "Header analysis" | ||
- "Sender analysis" | ||
- "Whois" | ||
id: "ba8a79e0-cce3-57e8-bbc7-3b3d9f848761" | ||
testing_pr: 2225 | ||
testing_sha: 9edb1c46ffa36447bcbcebc1dd73df99ec44e4e1 |