Medium Severity
BEC/Fraud: Romance Scam
Description
This rule detects messages attempting to initiate a Romance scam. The rule leverage tells such as undisclosed recipients, freemail emails in the body and common scam phrasing. Romance scams are deceptive schemes where scammers establish false romantic intentions towards individuals to gain their trust and eventually exploit them financially.
References
No references.
Sublime Security
Created Nov 22nd, 2023 • Last updated Nov 23rd, 2023
Feed Source
Sublime Core Feed
Source
type.inbound
// no links
and (
length(body.links) == 0
// or 1 link, but link doesn't match the sender's domain
or (
length(body.links) == 1
and sender.email.domain.root_domain not in $free_email_providers
and all(body.links,
.href_url.domain.root_domain != sender.email.domain.root_domain
)
)
)
// no attachments
and length(attachments) == 0
// honorific
and regex.icontains(sender.display_name,
'(?:Mr|Mrs|Ms|Miss|Dr|Prof|Sir|Lady|Rev)\.?[ \t]+'
)
// And an email is found in the body, and a freemail domain is found also
and (
regex.contains(body.current_thread.text,
"[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\.[A-Za-z]{2,}"
)
and any($free_email_providers, strings.icontains(body.current_thread.text, .))
)
// common scammy phrases
and regex.icontains(body.current_thread.text,
"(I am|My name is) .* (from|staying in) .+\\.",
".*(years old|cm|kg).*\\.",
".*(photo|pictures|sexy).*\\.",
".*(email|contact me|write to me|reply to me) at .*@.*\\."
)
and (
(
profile.by_sender().prevalence in ("new", "outlier")
and not profile.by_sender().solicited
)
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_false_positives
)
)
and not profile.by_sender().any_false_positives
Playground
Test against your own EMLs or sample data.