[Test Rules] [PR #4368] modified rule: Link: Invoice-related BEC with newly registered domain < 60 days

github-actions[bot] · github-actions[bot] · commit ec0a7ec3eaee · 2026-04-22T23:06:57.000Z
diff --git a/detection-rules/4368_link_previous_thread_invoice.yml b/detection-rules/4368_link_previous_thread_invoice.yml
@@ -8,11 +8,11 @@ source: |
     and (
       any(body.current_thread.links, network.whois(.href_url.domain).days_old < 60)
       and regex.icontains(subject.subject,
-                          '\b(fyi|attention|proposal|purchase|invoice|payment|wire|agreement|contract|settlement)\b'
+                          '\b(proposal|purchase|invoice|payment|wire|agreement|contract|settlement)\b'
       )
       and any(body.links,
               regex.icontains(.display_text,
-                              '[VIEW|REVIEW|CLICK|DOWNLOAD|CHECK|VALIDATE]'
+                              '(?:VIEW|REVIEW|CLICK|DOWNLOAD|CHECK|VALIDATE)'
               )
       )
       and any([body.current_thread.text],
@@ -29,16 +29,33 @@ source: |
               )
       )
       and (
-        // language attempting to engage
-        (
+        any(ml.nlu_classifier(body.current_thread.text).intents,
+            .name == "bec" and .confidence != "low"
+        )
+        or (
           any(ml.nlu_classifier(body.current_thread.text).entities,
-              .name in ("request", "financial")
+              .name in ("urgency", "request")
           )
         )
+        or any(ml.nlu_classifier(body.current_thread.text).tags,
+               .name in ("invoice", "payment")
+        )
       )
     )
     // prevent benign emails
-    and any(ml.nlu_classifier(body.current_thread.text).intents, .name != "benign")
+    and not any(ml.nlu_classifier(body.current_thread.text).intents,
+                .name == "benign"
+    )
+    // and (
+    //   (
+    //     profile.by_sender().prevalence != "common"
+    //     and not profile.by_sender().solicited
+    //   )
+    //   or (
+    //     profile.by_sender().any_messages_malicious_or_spam
+    //     and not profile.by_sender().any_messages_benign
+    //   )
+    // )
     // negate highly trusted sender domains unless they fail DMARC authentication
     and (
       (
@@ -47,6 +64,7 @@ source: |
       )
       or sender.email.domain.root_domain not in $high_trust_sender_root_domains
     )
+    and not profile.by_sender().any_messages_benign
 
 attack_types:
   - "BEC/Fraud"
@@ -61,4 +79,4 @@ detection_methods:
 id: "51c6b50f-7a68-5ee8-9897-510d11bc255c"
 og_id: "fee020b6-4a01-5ed3-a924-b5aa4415d3e9"
 testing_pr: 4368
-testing_sha: 6ec9ac8d5b7735a0e7a7083a71e8e534f983d5c1
+testing_sha: 0e93397c19fc459f8645002eb59dfe1640852ffc

Original file line number	Diff line number	Diff line change
`@@ -8,11 +8,11 @@ source: \|`
`8`	`8`	`and (`
`9`	`9`	`any(body.current_thread.links, network.whois(.href_url.domain).days_old < 60)`
`10`	`10`	`and regex.icontains(subject.subject,`
`11`		`- '\b(fyi\|attention\|proposal\|purchase\|invoice\|payment\|wire\|agreement\|contract\|settlement)\b'`
	`11`	`+ '\b(proposal\|purchase\|invoice\|payment\|wire\|agreement\|contract\|settlement)\b'`
`12`	`12`	`)`
`13`	`13`	`and any(body.links,`
`14`	`14`	`regex.icontains(.display_text,`
`15`		`- '[VIEW\|REVIEW\|CLICK\|DOWNLOAD\|CHECK\|VALIDATE]'`
	`15`	`+ '(?:VIEW\|REVIEW\|CLICK\|DOWNLOAD\|CHECK\|VALIDATE)'`
`16`	`16`	`)`
`17`	`17`	`)`
`18`	`18`	`and any([body.current_thread.text],`
`@@ -29,16 +29,33 @@ source: \|`
`29`	`29`	`)`
`30`	`30`	`)`
`31`	`31`	`and (`
`32`		`- // language attempting to engage`
`33`		`- (`
	`32`	`+ any(ml.nlu_classifier(body.current_thread.text).intents,`
	`33`	`+ .name == "bec" and .confidence != "low"`
	`34`	`+ )`
	`35`	`+ or (`
`34`	`36`	`any(ml.nlu_classifier(body.current_thread.text).entities,`
`35`		`- .name in ("request", "financial")`
	`37`	`+ .name in ("urgency", "request")`
`36`	`38`	`)`
`37`	`39`	`)`
	`40`	`+ or any(ml.nlu_classifier(body.current_thread.text).tags,`
	`41`	`+ .name in ("invoice", "payment")`
	`42`	`+ )`
`38`	`43`	`)`
`39`	`44`	`)`
`40`	`45`	`// prevent benign emails`
`41`		`- and any(ml.nlu_classifier(body.current_thread.text).intents, .name != "benign")`
	`46`	`+ and not any(ml.nlu_classifier(body.current_thread.text).intents,`
	`47`	`+ .name == "benign"`
	`48`	`+ )`
	`49`	`+ // and (`
	`50`	`+ // (`
	`51`	`+ // profile.by_sender().prevalence != "common"`
	`52`	`+ // and not profile.by_sender().solicited`
	`53`	`+ // )`
	`54`	`+ // or (`
	`55`	`+ // profile.by_sender().any_messages_malicious_or_spam`
	`56`	`+ // and not profile.by_sender().any_messages_benign`
	`57`	`+ // )`
	`58`	`+ // )`
`42`	`59`	`// negate highly trusted sender domains unless they fail DMARC authentication`
`43`	`60`	`and (`
`44`	`61`	`(`
`@@ -47,6 +64,7 @@ source: \|`
`47`	`64`	`)`
`48`	`65`	`or sender.email.domain.root_domain not in $high_trust_sender_root_domains`
`49`	`66`	`)`
	`67`	`+ and not profile.by_sender().any_messages_benign`
`50`	`68`
`51`	`69`	`attack_types:`
`52`	`70`	`- "BEC/Fraud"`
`@@ -61,4 +79,4 @@ detection_methods:`
`61`	`79`	`id: "51c6b50f-7a68-5ee8-9897-510d11bc255c"`
`62`	`80`	`og_id: "fee020b6-4a01-5ed3-a924-b5aa4415d3e9"`
`63`	`81`	`testing_pr: 4368`
`64`		`-testing_sha: 6ec9ac8d5b7735a0e7a7083a71e8e534f983d5c1`
	`82`	`+testing_sha: 0e93397c19fc459f8645002eb59dfe1640852ffc`