• Sublime Core Feed
Medium Severity

Advance Fee Fraud (AFF) from freemail provider or suspicious TLD

Labels

Description

Advance Fee Fraud (AFF) is a type of BEC/Fraud involving upfront fees for promised

future returns, such as lottery scams, inheritance payouts, and investment opportunities.

This rule identifies messages from Freemail domains or suspicious TLDS, including those

with suspicious reply-to addresses. It utilizes Natural Language Understanding to detect

AFF language in their contents.

References

No references.

Sublime Security
Created Oct 17th, 2023 • Last updated Feb 23rd, 2024
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and (
  sender.email.domain.domain in $free_email_providers
  or (
    length(headers.reply_to) > 0
    and all(headers.reply_to,
            (
              .email.domain.root_domain in $free_email_providers
              or .email.domain.tld in $suspicious_tlds
            )
            and .email.email != sender.email.email
    )
  )
  or sender.email.domain.tld in $suspicious_tlds
)
and (
  any(ml.nlu_classifier(body.current_thread.text).tags,
      .name == "advance_fee" and .confidence in ("medium", "high")
  )
  or (
    length(body.current_thread.text) < 200
    and regex.icontains(body.current_thread.text,
                        '(donation|inheritence|\$\d,\d{3}\,\d{3}|lottery)'
    )
  )
)
and (
    not profile.by_sender().solicited
    or profile.by_sender().any_messages_malicious_or_spam
  )

  and not profile.by_sender().any_false_positives

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started