• Sublime Core Feed
Medium Severity

BEC/Fraud: Urgent Language and Suspicious Sending/Infrastructure Patterns

Labels

BEC/Fraud
Callback Phishing
Spam
Impersonation: Brand
Social engineering
Free email provider
Content analysis
Header analysis
Sender analysis
Whois

Description

Identifies inbound messages using urgent language patterns and sender behavioral traits common in social manipulation. Combines multiple indicators including urgent subject lines, characteristic message content, short message length, and suspicious sender attributes.

References

No references.

Sublime Security
Created Jan 16th, 2025 • Last updated Mar 10th, 2025
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound

and 3 of (
  // urgent subjects
  strings.ilike(subject.subject, '*quick question*'),
  strings.ilike(subject.subject, '*urgent*request*'),
  strings.ilike(subject.subject, '*are you available*'),
  strings.ilike(subject.subject, '*need assistance*'),
  strings.ilike(subject.subject, '*help*needed*'),
  regex.icontains(subject.subject, 'favor\b'),
  strings.ilike(subject.subject, '*checking in*'),
  strings.ilike(subject.subject, '*awaiting*response*'),
  strings.ilike(subject.subject, '*catch*up*'),



  // BEC body patterns
  strings.ilike(body.current_thread.text, '*sorry to bother*'),
  strings.ilike(body.current_thread.text, '*are you busy*'),
  strings.ilike(body.current_thread.text, '*can you help*'),
  strings.ilike(body.current_thread.text, '*do you have a moment*'),
  strings.ilike(body.current_thread.text, '*please respond*asap*'),
  strings.ilike(subject.subject, '*quick question*'),


  // brand name
  regex.icontains(body.current_thread.text, 'a\s?m\s?a\s?z\s?o\s?n'), // Catches "Amaz on", "Amazon", etc.
  regex.icontains(body.current_thread.text, 'p\s?a\s?y\s?p\s?a\s?l'),
  regex.icontains(body.current_thread.text, 'a\s?p\s?p\s?l\s?e'),

  // short body
  length(body.current_thread.text) < 200,
  strings.count(body.current_thread.text, ' ') < 30
)

and 3 of (
  // suspicious sender
  sender.email.domain.root_domain in $free_email_providers,
  network.whois(sender.email.domain).days_old < 30,

  // suspicious recipient pattern
  any(recipients.to, strings.ilike(.display_name, 'undisclosed?recipients')),
  length(recipients.to) == 1, // Single recipient

  // header checks
  strings.starts_with(headers.mailer, 'Open-Xchange Mailer'),
  strings.ilike(headers.x_originating_ip.ip, '*.*.*.0'), // Common in some BEC campaigns
  // deifferent reply-to address
  (length(headers.reply_to) > 0 and sender.email.email not in map(headers.reply_to, .email.email)),
  // sender display name is part of the subject
  strings.icontains(subject.subject, sender.display_name),
)
and profile.by_sender_email().prevalence not in ("common")
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started