Medium Severity

PenPal Scam

Labels

BEC/Fraud

Free email provider

Description

This rule detects messages from individuals looking to establish contact under the guise of seeking friendship or a penpal relationship. Over time, they build trust and then exploit this relationship by asking for money, personal information, or involvement in suspicious activities.

References

No references.

Sublime Security

Created Nov 21st, 2023 • Last updated Jul 16th, 2025

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound

// the sender or the reply-to is a freemail provider
and (
  sender.email.domain.domain in $free_email_providers
  or any(headers.reply_to,
         .email.domain.root_domain in $free_email_providers
         and not sender.email.domain.root_domain in $free_email_providers
  )
)

// body contains pen ?pal
and regex.contains(body.current_thread.text, 'pen\s?pal')

// and NLU Request
and any(ml.nlu_classifier(body.current_thread.text).entities,
        .name == "request"
)

// not a reply
and (
  length(headers.references) == 0
  or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
)

// new sender
and (
  (
    profile.by_sender().prevalence in ("new", "outlier")
    and not profile.by_sender().solicited
  )
  or profile.by_sender().any_messages_malicious_or_spam
)
and not profile.by_sender().any_messages_benign

// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.