-
Notifications
You must be signed in to change notification settings - Fork 50
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Update body_advance_fee_new_sender.yml by @morriscode #922 Source SHA cfbd6ec Triggered by @morriscode
- Loading branch information
Sublime Rule Testing Bot
committed
Nov 6, 2023
1 parent
7096376
commit 07b9f30
Showing
1 changed file
with
55 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,55 @@ | ||
| name: "Body: Advance Fee Fraud (AFF) from Freemail providers or Suspicious TLDs" | ||
| description: | | ||
| Advance Fee Fraud (AFF) is a type of BEC/Fraud involving upfront fees for promised | ||
| future returns, such as lottery scams, inheritance payouts, and investment opportunities. | ||
| This rule identifies messages from Freemail domains or suspicious TLDS, including those | ||
| with suspicious reply-to addresses. It utilizes Natural Language Understanding to detect | ||
| AFF language in their contents. | ||
| type: "rule" | ||
| severity: "medium" | ||
| source: | | ||
| type.inbound | ||
| and ( | ||
| sender.email.domain.domain in $free_email_providers | ||
| or ( | ||
| length(headers.reply_to) > 0 | ||
| and all(headers.reply_to, | ||
| ( | ||
| .email.domain.root_domain in $free_email_providers | ||
| or .email.domain.tld in $suspicious_tlds | ||
| ) | ||
| and .email.email != sender.email.email | ||
| ) | ||
| ) | ||
| or sender.email.domain.tld in $suspicious_tlds | ||
| ) | ||
| and ( | ||
| any(ml.nlu_classifier(body.current_thread.text).tags, | ||
| .name == "advance_fee" and .confidence in ("medium", "high") | ||
| ) | ||
| or ( | ||
| length(body.current_thread.text) < 200 | ||
| and regex.icontains(body.current_thread.text, | ||
| '(donation|inheritence|\$\d,\d\d\d\,\d\d\d|lottery)' | ||
| ) | ||
| ) | ||
| ) | ||
| and ( | ||
| profile.by_sender().prevalence in ("new", "outlier") | ||
| or ( | ||
| profile.by_sender().any_messages_malicious_or_spam | ||
| and not profile.by_sender().any_false_positives | ||
| ) | ||
| ) | ||
| attack_types: | ||
| - "BEC/Fraud" | ||
| tactics_and_techniques: | ||
| - "Social engineering" | ||
| detection_methods: | ||
| - "Content analysis" | ||
| - "Header analysis" | ||
| - "Natural Language Understanding" | ||
| - "Sender analysis" | ||
| id: "6a5af373-a97b-5013-aeec-42ac8b4b8ba1" | ||
| testing_pr: 922 | ||
| testing_sha: cfbd6ecc6b94416e898a284b2601d838eb91b83a |