Medium Severity
Business Email Compromise (BEC) with request for mobile number
Description
This rule detects unsolicited messages with a small plain text body, that is attempting to solicit a mobile number.
References
No references.
Sublime Security
Created Feb 29th, 2024 • Last updated Jul 16th, 2025
Feed Source
Sublime Core Feed
Source
type.inbound
and length(body.current_thread.text) < 500
and length(attachments) == 0
and regex.icontains(body.current_thread.text,
'(mobile|contact|current).{0,10}(phone|number|#|\bno)|whatsapp|\bcell|personalcell'
)
and (
any(ml.nlu_classifier(body.current_thread.text).intents,
.name in ("bec", "advance_fee") and .confidence in ("medium", "high")
)
or (
// confidence can be low on very short bodies
length(body.current_thread.text) < 550
and (
any(ml.nlu_classifier(body.current_thread.text).intents, .name == "bec")
or any(ml.nlu_classifier(sender.display_name).intents, .name == "bec")
or any(ml.nlu_classifier(body.current_thread.text).entities,
strings.icontains(.text, "kindly")
)
)
)
)
and (
(
(
length(headers.references) > 0
or not any(headers.hops,
any(.fields, strings.ilike(.name, "In-Reply-To"))
)
)
and not (
(
strings.istarts_with(subject.subject, "RE:")
or strings.istarts_with(subject.subject, "RES:")
or strings.istarts_with(subject.subject, "R:")
or strings.istarts_with(subject.subject, "ODG:")
or strings.istarts_with(subject.subject, "答复:")
or strings.istarts_with(subject.subject, "AW:")
or strings.istarts_with(subject.subject, "TR:")
or strings.istarts_with(subject.subject, "FWD:")
or regex.imatch(subject.subject, '(\[[^\]]+\]\s?){0,3}(re|fwd?|automat.*)\s?:.*')
)
)
)
or length(headers.references) == 0
)
and (
not profile.by_sender().solicited
or profile.by_sender().any_messages_malicious_or_spam
)
and not profile.by_sender().any_messages_benign
Playground
Test against your own EMLs or sample data.