Low Severity
BEC/Fraud: Generic Scam attempt to Undisclosed Receipients
Description
Detects potential generic scams by analyzing text within the email body and other suspicious signals.
References
No references.
Sublime Security
Created Nov 22nd, 2023 • Last updated Apr 23rd, 2024
Feed Source
Sublime Core Feed
Source
type.inbound
// undisclosed recipients
and any([recipients.to, recipients.bcc, recipients.cc],
any(., .display_name =~ "Undisclosed recipients")
)
// mismatched sender (from) and Reply-to
and any(headers.reply_to,
length(headers.reply_to) > 0
and all(headers.reply_to,
.email.domain.root_domain != sender.email.domain.root_domain
)
)
// generic recipient
and any(ml.nlu_classifier(body.current_thread.text).entities,
.name == "recipient" and regex.icontains(.text, "(sir|madam)")
)
// request made
and any(ml.nlu_classifier(body.current_thread.text).entities,
.name == "request")
// not a bec scam
and all(ml.nlu_classifier(body.current_thread.text).intents,
.name != "bec"
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and (
(
profile.by_sender().prevalence in ("new", "outlier")
and not profile.by_sender().solicited
)
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_false_positives
)
)
and not profile.by_sender().any_false_positives
Playground
Test against your own EMLs or sample data.