Skip to content

Commit 3222c8d

Browse files
[Test Rules] [PR #4719] added rule: Business Email Compromise (BEC) with request for mobile number
1 parent 2b82993 commit 3222c8d

1 file changed

Lines changed: 82 additions & 0 deletions

File tree

Lines changed: 82 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,82 @@
1+
name: "Business Email Compromise (BEC) with request for mobile number"
2+
description: "This rule detects unsolicited messages with a small plain text body, that is attempting to solicit a mobile number."
3+
type: "rule"
4+
severity: "medium"
5+
source: |
6+
type.inbound
7+
and (
8+
length(body.current_thread.text) < 500
9+
or any(map(filter(ml.nlu_classifier(body.current_thread.text).entities,
10+
.name == "disclaimer"
11+
),
12+
.text
13+
),
14+
(length(body.current_thread.text) - length(.)) < 500
15+
)
16+
)
17+
and length(attachments) == 0
18+
and (
19+
regex.icontains(body.current_thread.text,
20+
'(?:mobile|contact|current|reliable).{0,10}(?:phone|number|#|\bno)|whatsapp|\bcell|personalcell|(?:share|what).{0,25}number.{0,15}(?:connect|reach|text|message|contact|call)|(?:\bdrop|which|send.{0,5}your|best).{0,25}(?:number|\bnum\b|#).{0,15}(?:(?:connect|reach|contact|call).{0,5}you|text|message|works?\b|stay connected)|forward.{0,25}(?:\bnum\b|#)|get (?:your.{0,25}(?:number|\bnum\b|#)|in touch.{0,15}(?:via|by|through).{0,10}(?:text|phone|cell|sms|whatsapp))|(?:provide|confirm|reply.{0,15}with).{0,25}(?:direct|preferred).{0,15}(?:text.?enabled.{0,15})?(?:phone.{0,5})?(?:number|\bnum\b|#|line)|(?:share|send).{0,25}(?:direct|preferred).{0,15}(?:text.?enabled.{0,15})?(?:phone.{0,5})(?:number|\bnum\b|#|line)|(?:share|send).{0,25}preferred.{0,15}(?:text.?enabled.{0,15})?(?:number|\bnum\b|#|line)|(?:direct|preferred).{0,15}line.{0,15}(?:for|to|via).{0,10}(?:text|call|reach|contact|sms)|have.{0,15}preferred.{0,10}number'
21+
)
22+
or (
23+
regex.icontains(body.current_thread.text,
24+
'give.{0,15}(?:call|ring)\s+(?:on|at)\s+\(?\d'
25+
)
26+
and regex.icontains(body.html.raw, 'href="mailto:')
27+
)
28+
)
29+
and (
30+
any(ml.nlu_classifier(body.current_thread.text).intents,
31+
.name in ("bec", "advance_fee") and .confidence != "low"
32+
)
33+
or (
34+
// confidence can be low on very short bodies
35+
length(body.current_thread.text) < 550
36+
and (
37+
any(ml.nlu_classifier(body.current_thread.text).intents, .name == "bec")
38+
or any(ml.nlu_classifier(sender.display_name).intents, .name == "bec")
39+
or any(ml.nlu_classifier(body.current_thread.text).entities,
40+
strings.icontains(.text, "kindly")
41+
)
42+
)
43+
)
44+
)
45+
and (
46+
(
47+
(length(headers.references) > 0 or headers.in_reply_to is null)
48+
and not (
49+
(
50+
strings.istarts_with(subject.subject, "RE:")
51+
or strings.istarts_with(subject.subject, "RES:")
52+
or strings.istarts_with(subject.subject, "R:")
53+
or strings.istarts_with(subject.subject, "ODG:")
54+
or strings.istarts_with(subject.subject, "答复:")
55+
or strings.istarts_with(subject.subject, "AW:")
56+
or strings.istarts_with(subject.subject, "TR:")
57+
or strings.istarts_with(subject.subject, "FWD:")
58+
or regex.imatch(subject.subject,
59+
'(\[[^\]]+\]\s?){0,3}(re|fwd?|automat.*)\s?:.*'
60+
)
61+
)
62+
)
63+
)
64+
or length(headers.references) == 0
65+
)
66+
and (
67+
not profile.by_sender().solicited
68+
or profile.by_sender().any_messages_malicious_or_spam
69+
)
70+
and not profile.by_sender().any_messages_benign
71+
attack_types:
72+
- "BEC/Fraud"
73+
tactics_and_techniques:
74+
- "Social engineering"
75+
detection_methods:
76+
- "Content analysis"
77+
- "Natural Language Understanding"
78+
- "Sender analysis"
79+
id: "bcfc5199-44a3-5238-8934-d9e5f4646a04"
80+
og_id: "514ffd68-a663-5b83-8a25-e380f0a7f1a7"
81+
testing_pr: 4719
82+
testing_sha: e3b03ca0bec262e6df4eb93f5e0194f40feb98f1

0 commit comments

Comments
 (0)