Medium Severity

COVID-19 themed fraud with sender and reply-to mismatch or compensation award

Labels

BEC/Fraud

Free email provider

Social engineering

Content analysis

Header analysis

Natural Language Understanding

Sender analysis

Description

Detects potential COVID-19 themed BEC/Fraud scams by analyzing text within the email body for mentions of COVID-19 assistance, compensation, or awards from mismatched senders and other suspicious language.

References

No references.

Sublime Security

Created Nov 22nd, 2023 • Last updated Jul 16th, 2025

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound

// mismatched sender (From) and Reply-to + freemail
and any(headers.reply_to,
        length(headers.reply_to) > 0
        and all(headers.reply_to,
                .email.domain.root_domain != sender.email.domain.root_domain
                and .email.domain.root_domain in $free_email_providers
        )
)

// use of honorific
and regex.icontains(body.current_thread.text,
                    '(?:Mr|Mrs|Ms|Miss|Dr|Prof|Sir|Lady|Rev)\.?[ \t]+',
                    'Dear Sir'
)

// mention of covid or an international organization
and regex.icontains(body.current_thread.text,
                    'international (court of justice|monetary fund)',
                    'united nations',
                    'western union',
                    'world bank',
                    'world health organization',
                    'interpol',
                    'treasury',
                    '\bFEMA\b',
                    '\bIMF\b'
)

// and mention of covid in subject or body
and (
  regex.icontains(subject.subject, 'covid(.{0,5}19)?\b')
  or regex.icontains(body.current_thread.text, 'covid(.{0,5}19)?\b')
)

// Check for compensation or award related language
and (
  2 of (
    any(ml.nlu_classifier(body.current_thread.text).entities, .name == "urgency"),
    any(ml.nlu_classifier(body.current_thread.text).entities, .name == "request"),
    any(ml.nlu_classifier(body.current_thread.text).entities, .name == "financial")
  )
  or regex.icontains(subject.subject, 
                    'compensation.{0,20}(award|fund)',
                    'covid.{0,20}(compensation|award)',
                    'selected.{0,30}(compensation|award)',
                    'claim your award',
                    'reference no')
  or regex.icontains(body.current_thread.text, 
                    'compensation.{0,20}(award|fund)',
                    'covid.{0,20}(compensation|award)',
                    'selected.{0,30}(compensation|award)',
                    'claim your award',
                    'reference no\W\s*[^\s]*cov(?:id)?(?:.{0,5}19)?\b')
)

 // negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and (
  (
    profile.by_sender().prevalence in ("new", "outlier")
    and not profile.by_sender().solicited
  )
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_messages_benign
  )
)
and not profile.by_sender().any_messages_benign

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.