Create suspicious_request_financial.yml (#2021)

Co-authored-by: ID Generator <[email protected]>

detection-rules/suspicious_request_financial.yml

@@ -0,0 +1,53 @@
+name: "Suspicious Request for Financial Information"
+description: "Email is from a suspicious sender and contains a request for financial information, such as AR reports."
+type: "rule"
+severity: "high"
+source: |
+  type.inbound
+  // no attachments
+  and length(attachments) == 0
+  // direct to recipient
+  and length(recipients.to) == 1
+  // suspicious sender
+  and (
+    (
+      length(headers.reply_to) > 0
+      and all(headers.reply_to,
+              .email.domain.root_domain != sender.email.domain.root_domain
+              and .email.domain.root_domain not in $org_domains
+      )
+    )
+    or sender.email.domain.root_domain in $free_email_providers
+    or profile.by_sender().days_known < 3
+  )
+  // specific financial language
+  and (
+    regex.icontains(subject.subject,
+                    '\b(Aged|Age?ing) (Payables|Receivables|Report)'
+    )
+    or regex.icontains(body.current_thread.text,
+                       '\b(Aged|Age?ing) (Payables|Receivables|Report)',
+                       "updated (AR|accounts? (Payables|Receivables))"
+    )
+  )
+  and (
+    (
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
+      and not headers.auth_summary.dmarc.pass
+    )
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
+  )
+  and not profile.by_sender().any_false_positives
+
+attack_types:
+  - "BEC/Fraud"
+tactics_and_techniques:
+  - "Free email provider"
+  - "Impersonation: Employee"
+  - "Impersonation: VIP"
+  - "Social engineering"
+detection_methods:
+  - "Content analysis"
+  - "Header analysis"
+  - "Sender analysis"
+id: "4ebdaa4d-4db2-56c6-9a6c-220ad49b7681"