diff --git a/detection-rules/body_extortion.yml b/detection-rules/body_extortion.yml
new file mode 100644
index 00000000000..e2a6eb6452a
--- /dev/null
+++ b/detection-rules/body_extortion.yml
@@ -0,0 +1,132 @@
+name: "Extortion / sextortion (untrusted sender)"
+description: |
+  Detects extortion and sextortion attempts by analyzing the email body text from an untrusted sender.
+references:
+  - "https://krebsonsecurity.com/2018/07/sextortion-scam-uses-recipients-hacked-passwords/"
+type: "rule"
+severity: "low"
+source: |
+  type.inbound
+  and length(filter(body.links, .display_text is not null)) < 10
+  and not (
+    ml.nlu_classifier(body.current_thread.text).language == "english"
+    and any(beta.ml_topic(body.html.display_text).topics,
+            .name in (
+              "News and Current Events",
+              "Newsletters and Digests",
+              "Advertising and Promotions"
+            )
+            and .confidence == "high"
+    )
+  )
+  and (
+    (
+      any(ml.nlu_classifier(strings.replace_confusables(body.current_thread.text)).intents,
+          .name == "extortion" and .confidence == "high"
+      )
+      and any(ml.nlu_classifier(strings.replace_confusables(body.current_thread.text
+                                )
+              ).entities,
+              .name == "financial"
+      )
+    )
+    // manual indicators failsafe
+    or 3 of (
+      // malware terms
+      regex.icontains(strings.replace_confusables(body.current_thread.text),
+                      "((spy|mal)ware|t[rŗ]ojan|remote control)"
+      ),
+      // actions recorded
+      regex.icontains(strings.replace_confusables(body.current_thread.text),
+                      "po[rŗ]n|adult (web)?site|webcam|mastu[rŗ]bating|je[rŗ]king off|pleasu[rŗ]ing you[rŗ]self|getting off"
+      ),
+      regex.icontains(strings.replace_confusables(body.current_thread.text),
+                      "perver[rŗ]|perve[rŗ]sion|mastu[rŗ]bat"
+      ),
+      // a timeframe to pay
+      regex.icontains(strings.replace_confusables(body.current_thread.text),
+                      '[ilo0-9]{2} (?:hou[rŗ]s|uu[rŗ])',
+                      '(?:one|two|th[rŗ]ee|\d) days?'
+      ),
+      // a promise from the actor
+      regex.icontains(strings.replace_confusables(body.current_thread.text),
+                      '(?:pe[rŗ]manently|will) delete|([rŗ]emove|destroy) (?:\w+\s*){0,4} (?:data|evidence|videos?)'
+      ),
+      // a threat from the actor
+      regex.icontains(strings.replace_confusables(body.current_thread.text),
+                      'sen[dt]\s*(?:\w+\s*){0,2}\s*to\s*(?:\w+\s*){0,3}\s*you[rŗ] contacts'
+      ),
+      // bitcoin language (excluding newsletters)
+      (
+        regex.icontains(strings.replace_confusables(body.current_thread.text),
+                        'bitc[oöة]+in|\bbtc\b|blockchain'
+        )
+        // negate cryptocurrency newsletters
+        and not (
+          any(body.links,
+              strings.icontains(.display_text, "unsubscribe")
+              and (
+                strings.icontains(.href_url.path, "unsubscribe")
+                // handle mimecast URL rewrites
+                or (
+                  .href_url.domain.root_domain == 'mimecastprotect.com'
+                  and strings.icontains(.href_url.query_params,
+                                        sender.email.domain.root_domain
+                  )
+                )
+              )
+          )
+        )
+      ),
+      (
+        regex.icontains(strings.replace_confusables(body.current_thread.text),
+                        '(?:contact the police|(?:bitcoin|\bbtc\b).{0,20}wallet)'
+        )
+        and regex.icontains(strings.replace_confusables(body.current_thread.text),
+                            '(\b[13][a-km-zA-HJ-NP-Z0-9]{24,34}\b)|\bX[1-9A-HJ-NP-Za-km-z]{33}\b|\b(0x[a-fA-F0-9]{40})\b|\b[LM3][a-km-zA-HJ-NP-Z1-9]{26,33}\b|\b[48][0-9AB][1-9A-HJ-NP-Za-km-z]{93}\b'
+        )
+      ),
+      regex.icontains(strings.replace_confusables(body.current_thread.text),
+                      'bc1q.{0,50}\b'
+      )
+    )
+  )
+  and (
+    not profile.by_sender().solicited
+    or (
+      profile.by_sender().any_messages_malicious_or_spam
+      and not profile.by_sender().any_false_positives
+    )
+    or any(headers.hops, any(.fields, .name == "X-Google-Group-Id"))
+
+    // many extortion emails spoof sender domains and fail sender authentication
+    or (
+      not headers.auth_summary.dmarc.pass
+      or headers.auth_summary.dmarc.pass is null
+      or not headers.auth_summary.spf.pass
+    )
+  )
+
+  // negate benign newsletters that mention cyber extortion
+  and not (
+    any(body.links,
+        strings.icontains(.display_text, "unsubscribe")
+        and strings.icontains(.href_url.path, "unsubscribe")
+        // newsletters are typically longer than the average extortion script
+        and length(body.current_thread.text) > 2000
+    )
+  )
+  and length(body.current_thread.text) < 6000
+attack_types:
+  - "Extortion"
+tactics_and_techniques:
+  - "Social engineering"
+  - "Spoofing"
+detection_methods:
+  - "Content analysis"
+  - "Header analysis"
+  - "Natural Language Understanding"
+  - "Sender analysis"
+id: "265913eb-2ccd-5f77-9a09-f6d8539fd2f6"
+testing_pr: 2438
+testing_sha: 234b508f9f6dc63dff153e5a2c84a80cefc9a902