Skip to content

Create detection rule for invoice previous thread #4368

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
cybher0808 wants to merge 4 commits into
base: main
Choose a base branch
from
+79 −0
Open

Create detection rule for invoice previous thread #4368

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
9bbd09c
Create detection rule for invoice - 60 days
cybher0808 Apr 17, 2026
04bf2bb
Auto-format MQL and add rule IDs
Apr 17, 2026
6ec9ac8
Refine detection rules for invoice-related emails
cybher0808 Apr 20, 2026
0e93397
Update after hunt and running multi-hunt
cybher0808 Apr 22, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
79 changes: 79 additions & 0 deletions detection-rules/link_previous_thread_invoice.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,79 @@
name: "Link: Invoice-related BEC with newly registered domain < 60 days "
description: "Detects Business Email Compromise attacks using fake reply/forward threads containing links to newly registered domains (less than 60 days old) with invoice-related language and engaging action words. The message includes financial or payment terminology and prompts the recipient to take action through suspicious links."
type: "rule"
severity: "medium"
source: |
type.inbound
and (subject.is_reply or subject.is_forward)
and (
any(body.current_thread.links, network.whois(.href_url.domain).days_old < 60)
and regex.icontains(subject.subject,
'\b(proposal|purchase|invoice|payment|wire|agreement|contract|settlement)\b'
)
and any(body.links,
regex.icontains(.display_text,
'(?:VIEW|REVIEW|CLICK|DOWNLOAD|CHECK|VALIDATE)'
)
)
and any([body.current_thread.text],
regex.icontains(.,
'wire transfer',
'payment',
'invoice',
'ACH',
'kindly download',
'document',
'kindly',
'urgently',
'confirm'
)
)
and (
any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "bec" and .confidence != "low"
)
or (
any(ml.nlu_classifier(body.current_thread.text).entities,
.name in ("urgency", "request")
)
)
or any(ml.nlu_classifier(body.current_thread.text).tags,
.name in ("invoice", "payment")
)
)
)
// prevent benign emails
and not any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "benign"
)
// and (
// (
// profile.by_sender().prevalence != "common"
// and not profile.by_sender().solicited
// )
// or (
// profile.by_sender().any_messages_malicious_or_spam
// and not profile.by_sender().any_messages_benign
// )
// )
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not coalesce(headers.auth_summary.dmarc.pass, false)
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and not profile.by_sender().any_messages_benign

attack_types:
- "BEC/Fraud"
tactics_and_techniques:
- "Social engineering"
- "Evasion"
- "Spoofing"
detection_methods:
- "Header analysis"
- "Sender analysis"
- "URL analysis"
id: "fee020b6-4a01-5ed3-a924-b5aa4415d3e9"
Loading