Low Severity

BEC/Fraud: Scam lure with freemail pivot

Labels

BEC/Fraud

Free email provider

Description

This message detects BEC/Fraud lures attempting to solicit the victim to pivot out of band via a freemail address in the body.

References

No references.

Sublime Security

Created Nov 22nd, 2023 • Last updated Apr 30th, 2026

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound

// body is short
and length(body.current_thread.text) < 800

// one recipient
and length(recipients.to) == 1

// all recipients are the sender
and all(recipients.to,
        .email.email == sender.email.email
        and (
          .email.domain.valid or strings.icontains(.display_name, "undisclosed")
        )
)

// not an org domain
and all(recipients.to,
        .email.domain.root_domain not in $org_domains
        and (
          .email.domain.valid or strings.icontains(.display_name, "undisclosed")
        )
)

// one link
and length(body.links) == 1

// links don't match sender
and all(body.links,
        .href_url.domain.root_domain != sender.email.domain.root_domain
)

// scam indicators
and regex.icontains(body.current_thread.text,
                    '((?:Mr|Mrs|Ms|Miss|Dr|Prof|Sir|Lady|Rev)\.?[ \t]+)|(sir|madam|kindly)|(dringend|eingefordert|anspruch)'
)

// body contains an email address to a freemail provider
and (
  regex.contains(body.current_thread.text,
                 "[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\.[A-Za-z]{2,}"
  )
  and any($free_email_providers, strings.icontains(body.current_thread.text, .))
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.