Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New Rule: BEC/Fraud: PenPal Scam #1004

Merged
merged 8 commits into from
Nov 21, 2023
Merged

New Rule: BEC/Fraud: PenPal Scam #1004

Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
ef6e0ac
New Rule: BEC/Fraud: PenPal Scam
morriscode Nov 20, 2023
dc4e4c5
Auto add rule ID
Nov 20, 2023
6b5d0f7
Update bec_fraud_penpal_scam.yml
morriscode Nov 20, 2023
5c170e5
Update bec_fraud_penpal_scam.yml
morriscode Nov 20, 2023
453ce9e
Update detection-rules/bec_fraud_penpal_scam.yml
morriscode Nov 21, 2023
ecd4e1d
Update bec_fraud_penpal_scam.yml
morriscode Nov 21, 2023
640fa95
Update bec_fraud_penpal_scam.yml
morriscode Nov 21, 2023
426871d
Merge branch 'main' into sam.penpal.fraud
morriscode Nov 21, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
63 changes: 63 additions & 0 deletions detection-rules/bec_fraud_penpal_scam.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
name: "PenPal Scam"
description: "This rule detects messages from individuals looking to establish contact under the guise of seeking friendship or a penpal relationship. Over time, they build trust and then exploit this relationship by asking for money, personal information, or involvement in suspicious activities."
type: "rule"
severity: "medium"
source: |
type.inbound

// the sender or the reply-to is a freemail provider
and (
sender.email.domain.domain in $free_email_providers
or any(headers.reply_to,
.email.domain.root_domain in $free_email_providers
and not sender.email.domain.root_domain in $free_email_providers
)
)

// body contains pen ?pal
and regex.contains(body.current_thread.text, 'pen\s?pal')

// and NLU Request
and any(ml.nlu_classifier(body.current_thread.text).entities,
.name == "request"
)

// not a reply
and (
length(headers.references) == 0
or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
)

// new sender
and (
(
profile.by_sender().prevalence in ("new", "outlier")
and not profile.by_sender().solicited
)
or profile.by_sender().any_messages_malicious_or_spam
)
and not profile.by_sender().any_false_positives

// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and (
any(distinct(headers.hops, .authentication_results.dmarc is not null),
strings.ilike(.authentication_results.dmarc, "*fail")
)
)
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)

attack_types:
- "BEC/Fraud"
tactics_and_techniques:
- "Free email provider"
- "Social engineering"
detection_methods:
- "Content analysis"
- "Header analysis"
- "Sender analysis"
id: "a4bdfa17-7527-5ee2-a27b-44d03e190773"
Loading