diff --git a/detection-rules/bec_fraud_penpal_scam.yml b/detection-rules/bec_fraud_penpal_scam.yml new file mode 100644 index 00000000000..c9e6e48dfa2 --- /dev/null +++ b/detection-rules/bec_fraud_penpal_scam.yml @@ -0,0 +1,63 @@ +name: "PenPal Scam" +description: "This rule detects messages from individuals looking to establish contact under the guise of seeking friendship or a penpal relationship. Over time, they build trust and then exploit this relationship by asking for money, personal information, or involvement in suspicious activities." +type: "rule" +severity: "medium" +source: | + type.inbound + + // the sender or the reply-to is a freemail provider + and ( + sender.email.domain.domain in $free_email_providers + or any(headers.reply_to, + .email.domain.root_domain in $free_email_providers + and not sender.email.domain.root_domain in $free_email_providers + ) + ) + + // body contains pen ?pal + and regex.contains(body.current_thread.text, 'pen\s?pal') + + // and NLU Request + and any(ml.nlu_classifier(body.current_thread.text).entities, + .name == "request" + ) + + // not a reply + and ( + length(headers.references) == 0 + or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To"))) + ) + + // new sender + and ( + ( + profile.by_sender().prevalence in ("new", "outlier") + and not profile.by_sender().solicited + ) + or profile.by_sender().any_messages_malicious_or_spam + ) + and not profile.by_sender().any_false_positives + + // negate highly trusted sender domains unless they fail DMARC authentication + and ( + ( + sender.email.domain.root_domain in $high_trust_sender_root_domains + and ( + any(distinct(headers.hops, .authentication_results.dmarc is not null), + strings.ilike(.authentication_results.dmarc, "*fail") + ) + ) + ) + or sender.email.domain.root_domain not in $high_trust_sender_root_domains + ) + +attack_types: + - "BEC/Fraud" +tactics_and_techniques: + - "Free email provider" + - "Social engineering" +detection_methods: + - "Content analysis" + - "Header analysis" + - "Sender analysis" +id: "a4bdfa17-7527-5ee2-a27b-44d03e190773"