[Shared Samples] [PR #4374] added rule: PR# 4374 - Business Email Compromise: Request for mobile number via reply thread hijacking

github-actions[bot] · github-actions[bot] · commit 219d5c84ecd2 · 2026-04-21T12:40:43.000Z
diff --git a/detection-rules/4374_body_bec_mobile_solicitation_reply_thread.yml b/detection-rules/4374_body_bec_mobile_solicitation_reply_thread.yml
@@ -0,0 +1,85 @@
+name: "PR# 4374 - Business Email Compromise: Request for mobile number via reply thread hijacking"
+description: "This rule detects BEC attacks that use reply threads to solicit mobile numbers, evading detection rules that exclude RE: subjects."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and 0 < length(body.previous_threads) < 3
+  and length(attachments) == 0
+  // Check previous_threads for mobile solicitation patterns
+  and any(body.previous_threads,
+          (
+            length(.text) < 500
+            // ignore disclaimers in body length calculation
+            or (
+              any(map(filter(ml.nlu_classifier(.text).entities,
+                             .name == "disclaimer"
+                      ),
+                      .text
+                  ),
+                  (length(..text) - length(.)) < 500
+              )
+            )
+          )
+          and regex.icontains(.text,
+                              '(?:mobile|suitable|contact|current|cell|call|another).{0,10}(phone|number|#|\bno)|whatsapp|\bcell|personalcell|(?:reliable|recent).{0,30}(?:phone|number).{0,15}contact|(?:share|send).{0,10}(?:a\s)?number.{0,10}(?:text|reach)'
+          )
+  )
+  
+  // NLU analysis on previous_threads content
+  and (
+    any(body.previous_threads,
+        any(ml.nlu_classifier(.text).intents,
+            .name in ("bec", "advance_fee") and .confidence in ("medium", "high")
+        )
+    )
+    or (
+      // confidence can be low on very short bodies
+      any(body.previous_threads, length(.text) < 550)
+      and (
+        any(body.previous_threads,
+            any(ml.nlu_classifier(.text).intents, .name == "bec")
+        )
+        or any(ml.nlu_classifier(sender.display_name).intents, .name == "bec")
+        or any(body.previous_threads,
+               any(ml.nlu_classifier(.text).entities,
+                   strings.icontains(.text, "kindly")
+               )
+        )
+      )
+    )
+  )
+  // Sender analysis
+  and (
+    not profile.by_sender().solicited
+    or profile.by_sender().any_messages_malicious_or_spam
+  )
+  and not profile.by_sender().any_messages_benign
+  // not high trust sender domains
+  and (
+    (
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
+      and not headers.auth_summary.dmarc.pass
+    )
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
+  )
+  // Ensure this is likely a hijacked thread (sender doesn't match thread participants)
+  and (
+    length(headers.references) > 0
+    or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
+  )
+attack_types:
+  - "BEC/Fraud"
+tactics_and_techniques:
+  - "Social engineering"
+detection_methods:
+  - "Content analysis"
+  - "Natural Language Understanding"
+  - "Sender analysis"
+id: "2e916bfc-66ee-5047-b15a-ee4c8b04591c"
+tags:
+  - created_from_open_prs
+  - rule_status_modified
+  - pr_author_JFarina5
+references:
+  - https://github.com/sublime-security/sublime-rules/pull/4374
