[Test Rules] [PR #4368] added rule: Link: Invoice-related BEC with newly registered domain < 60 days

github-actions[bot] · github-actions[bot] · commit 264131b91b63 · 2026-04-17T19:59:05.000Z
diff --git a/detection-rules/4368_link_previous_thread_invoice.yml b/detection-rules/4368_link_previous_thread_invoice.yml
@@ -0,0 +1,65 @@
+name: "Link: Invoice-related BEC with newly registered domain < 60 days "
+description: "Detects Business Email Compromise attacks using fake reply/forward threads containing links to newly registered domains (less than 60 days old) with invoice-related language and engaging action words. The message includes financial or payment terminology and prompts the recipient to take action through suspicious links."
+type: "rule"
+severity: "medium"
+source: |
+    type.inbound
+    and (subject.is_reply or subject.is_forward)
+    and (
+      any(body.current_thread.links, network.whois(.href_url.domain).days_old < 60)
+      and any(body.links,
+              regex.icontains(.display_text,
+                              '[VIEW|REVIEW|CLICK|DOWNLOAD|CHECK|VALIDATE]'
+              )
+      )
+      and any([body.current_thread.text],
+              regex.icontains(.,
+                              'wire transfer',
+                              'payment',
+                              'invoice',
+                              'ACH',
+                              'kindly download',
+                              'document',
+                              'kindly',
+                              'urgently',
+                              'confirm'
+              )
+      )
+      and (
+        // language attempting to engage
+        (
+          any(ml.nlu_classifier(body.current_thread.text).entities,
+              .name in ("request", "financial")
+          )
+        )
+        // invoicing language
+        and any(ml.nlu_classifier(body.current_thread.text).tags,
+                .name == "invoice"
+        )
+      )
+    )
+    // prevent benign emails
+    and any(ml.nlu_classifier(body.current_thread.text).intents, .name != "benign")
+    // negate highly trusted sender domains unless they fail DMARC authentication
+    and (
+      (
+        sender.email.domain.root_domain in $high_trust_sender_root_domains
+        and not headers.auth_summary.dmarc.pass
+      )
+      or sender.email.domain.root_domain not in $high_trust_sender_root_domains
+    )
+
+attack_types:
+  - "BEC/Fraud"
+tactics_and_techniques:
+  - "Social engineering"
+  - "Evasion"
+  - "Spoofing"
+detection_methods:
+  - "Header analysis"
+  - "Sender analysis"
+  - "URL analysis"
+id: "51c6b50f-7a68-5ee8-9897-510d11bc255c"
+og_id: "fee020b6-4a01-5ed3-a924-b5aa4415d3e9"
+testing_pr: 4368
+testing_sha: 04bf2bb2c0edddece7c3ecf47308b1ac9c91550c
