Skip to content

Commit 98117e0

Browse files
[Shared Samples] [PR #4727] added rule: PR# 4727 - BEC/Fraud: Unsolicited business acquisition offer
1 parent 4c94af9 commit 98117e0

1 file changed

Lines changed: 35 additions & 0 deletions

File tree

Lines changed: 35 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,35 @@
1+
name: "PR# 4727 - BEC/Fraud: Unsolicited business acquisition offer"
2+
description: "Detects inbound messages with subjects referencing an offer to purchase, combined with body content mentioning private equity, acquiring companies, or discussing an opportunity. These messages are characteristic of fraudulent or unsolicited business acquisition solicitations designed to engage targets in fraudulent financial dealings."
3+
type: "rule"
4+
severity: "medium"
5+
source: |
6+
type.inbound
7+
and strings.icontains(subject.base, "Offer to Purchase")
8+
and (
9+
strings.icontains(body.plain.raw,
10+
"private equity",
11+
"acquiring companies",
12+
"discuss the opportunity"
13+
)
14+
or (
15+
any(ml.nlu_classifier(body.current_thread.text).entities,
16+
.name == "financial" and strings.icontains(.text, "purchase")
17+
)
18+
and any(ml.nlu_classifier(body.current_thread.text).topics,
19+
.name == "B2B Cold Outreach" and .confidence == "high"
20+
)
21+
)
22+
)
23+
attack_types:
24+
- "BEC/Fraud"
25+
tactics_and_techniques:
26+
- "Social engineering"
27+
detection_methods:
28+
- "Content analysis"
29+
id: "b490993a-3bb2-5e9a-afd3-f73c026b8a71"
30+
tags:
31+
- created_from_open_prs
32+
- rule_status_modified
33+
- pr_author_markmsublime
34+
references:
35+
- https://github.com/sublime-security/sublime-rules/pull/4727

0 commit comments

Comments
 (0)