1+ name : " Suspicious request for financial information"
2+ description : " Email is from a suspicious sender and contains a request for financial information, such as AR reports."
3+ type : " rule"
4+ severity : " high"
5+ source : |
6+ type.inbound
7+ and length(attachments) <= 1
8+ and length(recipients.to) <= 2
9+ // suspicious sender
10+ and (
11+ (
12+ length(headers.reply_to) > 0
13+ and all(headers.reply_to,
14+ .email.domain.root_domain != sender.email.domain.root_domain
15+ and .email.domain.root_domain not in $org_domains
16+ )
17+ )
18+ or sender.email.domain.root_domain in $free_email_providers
19+ or profile.by_sender().days_known < 3
20+ )
21+ // specific financial language
22+ and (
23+ regex.icontains(subject.subject,
24+ '\b(Aged|Age?ing) (Payables|Receivables|Report)',
25+ 'reconcill?iation (report|statement).*(issued (settlement|advice)s?)|billing records?'
26+ )
27+ or (
28+ regex.icontains(body.current_thread.text,
29+ '\b(Aged|Age?ing) (Payables|Receivables|Report)',
30+ '(updated|recent) (\bAR\b|\b\AP\b|\bAR\b \& \bAP\b|accounts?) (Payables|Receivables|Reports)',
31+ '(shared?|send|forward|provide).*remittance (advice|receipts?|statements?)'
32+ )
33+ or strings.icontains(body.current_thread.text,
34+ "copy of a current statement"
35+ )
36+ or (
37+ strings.icontains(body.current_thread.text, "please send all past due")
38+ and strings.icontains(body.current_thread.text, "current invoices")
39+ )
40+ )
41+ // suspicious link display text
42+ or (
43+ any(body.links,
44+ regex.icontains(.display_text,
45+ '(Payment|Remittance|Settlement|Transfer) ?Batch',
46+ )
47+ )
48+ )
49+ // suspicious sender display name
50+ or (
51+ regex.icontains(sender.display_name,
52+ 'Accounts? (?:Payable (?:Dep(\.|t\.?|artment)|e?Receipt)|(Co[[:punct:]]?ordinator|Admin|Manager|Payee))'
53+ )
54+ // sender email listed as a recipient or recipients undisclosed/null
55+ and (
56+ (
57+ sender.email.email in map(recipients.to, .email.email)
58+ or (length(recipients.to) == 0 or length(recipients.to) is null)
59+ )
60+ // non-benign nlu intent
61+ or any(ml.nlu_classifier(body.current_thread.text).intents,
62+ .name != "benign"
63+ )
64+ )
65+ )
66+ or (
67+ any(ml.nlu_classifier(body.current_thread.text).intents,
68+ .name == "cred_theft" and .confidence == "high"
69+ )
70+ and any(ml.nlu_classifier(body.current_thread.text).entities,
71+ .name == "financial" and .text =~ "remittance"
72+ )
73+ )
74+ )
75+ // negate resume related/job inquiry outreach
76+ and not (
77+ any(ml.nlu_classifier(body.current_thread.text).topics,
78+ .name == "Professional and Career Development" and .confidence == "high"
79+ )
80+ and any(ml.nlu_classifier(body.current_thread.text).intents,
81+ .name == "benign" and .confidence != "low"
82+ )
83+ )
84+ and (
85+ (
86+ sender.email.domain.root_domain in $high_trust_sender_root_domains
87+ and not headers.auth_summary.dmarc.pass
88+ )
89+ or sender.email.domain.root_domain not in $high_trust_sender_root_domains
90+ )
91+ and not profile.by_sender().any_messages_benign
92+
93+ attack_types :
94+ - " BEC/Fraud"
95+ tactics_and_techniques :
96+ - " Free email provider"
97+ - " Impersonation: Employee"
98+ - " Impersonation: VIP"
99+ - " Social engineering"
100+ detection_methods :
101+ - " Content analysis"
102+ - " Header analysis"
103+ - " Sender analysis"
104+ id : " adfc7d68-7b1e-565c-ad15-76235fece7b2"
105+ og_id : " 4ebdaa4d-4db2-56c6-9a6c-220ad49b7681"
106+ testing_pr : 4385
107+ testing_sha : dc4493508d23176850f3cd890234cab4c3791aac
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?v=4&size=40){kind=avatar}
0 commit comments