1+ name : " Business Email Compromise (BEC) with request for mobile number"
2+ description : " This rule detects unsolicited messages with a small plain text body, that is attempting to solicit a mobile number."
3+ type : " rule"
4+ severity : " medium"
5+ source : |
6+ type.inbound
7+ and (
8+ length(body.current_thread.text) < 500
9+ or any(map(filter(ml.nlu_classifier(body.current_thread.text).entities,
10+ .name == "disclaimer"
11+ ),
12+ .text
13+ ),
14+ (length(body.current_thread.text) - length(.)) < 500
15+ )
16+ )
17+ and length(attachments) == 0
18+ and (
19+ regex.icontains(body.current_thread.text,
20+ '(?:mobile|contact|current|reliable).{0,10}(?:phone|number|#|\bno)|whatsapp|\bcell|personalcell|(?:share|what).{0,25}number.{0,15}(?:connect|reach|text|message|contact|call)|(?:\bdrop|which|send.{0,5}your|best).{0,25}(?:number|\bnum\b|#).{0,15}(?:(?:connect|reach|contact|call).{0,5}you|text|message|works?\b|stay connected)|forward.{0,25}(?:\bnum\b|#)|get (?:your.{0,25}(?:number|\bnum\b|#)|in touch.{0,15}(?:via|by|through).{0,10}(?:text|phone|cell|sms|whatsapp))|(?:provide|confirm|reply.{0,15}with).{0,25}(?:direct|preferred).{0,15}(?:text.?enabled.{0,15})?(?:phone.{0,5})?(?:number|\bnum\b|#|line)|(?:share|send).{0,25}(?:direct|preferred).{0,15}(?:text.?enabled.{0,15})?(?:phone.{0,5})(?:number|\bnum\b|#|line)|(?:share|send).{0,25}preferred.{0,15}(?:text.?enabled.{0,15})?(?:number|\bnum\b|#|line)|(?:direct|preferred).{0,15}line.{0,15}(?:for|to|via).{0,10}(?:text|call|reach|contact|sms)|have.{0,15}preferred.{0,10}number'
21+ )
22+ or (
23+ regex.icontains(body.current_thread.text,
24+ 'give.{0,15}(?:call|ring)\s+(?:on|at)\s+\(?\d'
25+ )
26+ and regex.icontains(body.html.raw, 'href="mailto:')
27+ )
28+ )
29+ and (
30+ any(ml.nlu_classifier(body.current_thread.text).intents,
31+ .name in ("bec", "advance_fee") and .confidence != "low"
32+ )
33+ or (
34+ // confidence can be low on very short bodies
35+ length(body.current_thread.text) < 550
36+ and (
37+ any(ml.nlu_classifier(body.current_thread.text).intents, .name == "bec")
38+ or any(ml.nlu_classifier(sender.display_name).intents, .name == "bec")
39+ or any(ml.nlu_classifier(body.current_thread.text).entities,
40+ strings.icontains(.text, "kindly")
41+ )
42+ )
43+ )
44+ )
45+ and (
46+ (
47+ (length(headers.references) > 0 or headers.in_reply_to is null)
48+ and not (
49+ (
50+ strings.istarts_with(subject.subject, "RE:")
51+ or strings.istarts_with(subject.subject, "RES:")
52+ or strings.istarts_with(subject.subject, "R:")
53+ or strings.istarts_with(subject.subject, "ODG:")
54+ or strings.istarts_with(subject.subject, "答复:")
55+ or strings.istarts_with(subject.subject, "AW:")
56+ or strings.istarts_with(subject.subject, "TR:")
57+ or strings.istarts_with(subject.subject, "FWD:")
58+ or regex.imatch(subject.subject,
59+ '(\[[^\]]+\]\s?){0,3}(re|fwd?|automat.*)\s?:.*'
60+ )
61+ )
62+ )
63+ )
64+ or length(headers.references) == 0
65+ )
66+ and (
67+ not profile.by_sender().solicited
68+ or profile.by_sender().any_messages_malicious_or_spam
69+ )
70+ and not profile.by_sender().any_messages_benign
71+ attack_types :
72+ - " BEC/Fraud"
73+ tactics_and_techniques :
74+ - " Social engineering"
75+ detection_methods :
76+ - " Content analysis"
77+ - " Natural Language Understanding"
78+ - " Sender analysis"
79+ id : " bcfc5199-44a3-5238-8934-d9e5f4646a04"
80+ og_id : " 514ffd68-a663-5b83-8a25-e380f0a7f1a7"
81+ testing_pr : 4719
82+ testing_sha : e3b03ca0bec262e6df4eb93f5e0194f40feb98f1
0 commit comments