From f107a5a5b32c262968dfec9cb0a3d53286f6c59c Mon Sep 17 00:00:00 2001 From: Bobby Filar <29960025+bfilar@users.noreply.github.com> Date: Tue, 17 Oct 2023 11:29:02 -0500 Subject: [PATCH] New Rule: Body contains Advance Fee language (#856) Co-authored-by: ID Generator Co-authored-by: Sam Scholten --- .../body_advance_fee_new_sender.yml | 46 +++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 detection-rules/body_advance_fee_new_sender.yml diff --git a/detection-rules/body_advance_fee_new_sender.yml b/detection-rules/body_advance_fee_new_sender.yml new file mode 100644 index 00000000000..64bd291bc40 --- /dev/null +++ b/detection-rules/body_advance_fee_new_sender.yml @@ -0,0 +1,46 @@ +name: "Body: Advanced Fee Fraud (AFF) from Freemail providers or Suspicious TLDs" +description: | + Advanced Fee Fraud (AFF) is a type of BEC/Fraud involving upfront fees for promised + future returns, such as lottery scams, inheritance payouts, and investment opportunities. + This rule identifies messages from Freemail domains or suspicious TLDS, including those + with suspicious reply-to addresses. It utilizes Natural Language Understanding to detect + AFF language in their contents. +type: "rule" +severity: "medium" +source: | + type.inbound + and ( + sender.email.domain.domain in $free_email_providers + or ( + length(headers.reply_to) > 0 + and all(headers.reply_to, + ( + .email.domain.root_domain in $free_email_providers + or .email.domain.tld in $suspicious_tlds + ) + and .email.email != sender.email.email + ) + ) + or sender.email.domain.tld in $suspicious_tlds + ) + and any(ml.nlu_classifier(body.current_thread.text).tags, + .name == "advance_fee" and .confidence in ("medium", "high") + ) + and ( + profile.by_sender().prevalence in ("new", "outlier") + or ( + profile.by_sender().any_messages_malicious_or_spam + and not profile.by_sender().any_false_positives + ) + ) + +attack_types: + - "BEC/Fraud" +tactics_and_techniques: + - "Social engineering" +detection_methods: + - "Content analysis" + - "Header analysis" + - "Natural Language Understanding" + - "Sender analysis" +id: "6a5af373-a97b-5013-aeec-42ac8b4b8ba1"