Medium Severity
Scam: Piano Giveaway
Description
This rule is designed to identify and mitigate a specific type of fraudulent activity commonly targeted at educational institutions. This rule operates by analyzing incoming email content for certain characteristics indicative of a scam involving the offer of a free piano, often framed within the context of downsizing or a giveaway.
References
No references.
Sublime Security
Created Feb 3rd, 2025 • Last updated Jun 11th, 2025
Feed Source
Sublime Core Feed
Source
length(body.links) < 10
and length(body.current_thread.text) < 1500
and (
// body detection
// be sure to update the attachment detection regexes too!
(
(
// items and brands
// Guitars
regex.icontains(body.current_thread.text,
'(?:Gibson|Fender|Lowden|Martin|Taylor|Ibanez)\s*[^\r\n]{0,50}\s*guitar',
)
// Piano/Keyboards
or regex.icontains(body.current_thread.text,
'(?:Yamaha|Kawai|Baldwin|Roland|Stei?nway(?: (?:&|and) Sons?)?|\d{4})\s*[^\r\n]{0,50}(?:baby.grand|piano|baby.grand.piano|keyboard)',
)
// Violins & Orchestral
or regex.icontains(body.current_thread.text,
'(?:Stradivarius|Guarneri|Yamaha|Stentor|Eastman|Cremona|Cecilio|Mendini)\s*[^\r\n]{0,50}(violin|viola|cello|celli)',
)
// brass/wind/woodwinds
or regex.icontains(body.current_thread.text,
'(?:Bach|Yamaha|Selmer|Conn|King|Jupiter|Buffet Crampon |Pearl)\s*[^\r\n]{0,50}(trombone|trumpet|saxophone|clarinet|flute)'
)
// generic
or strings.ilike(body.current_thread.text,
'* musical instruments *',
'* instrument as a gift*'
)
)
and (
// often a person is moving
strings.ilike(body.current_thread.text,
'* downsizing *',
'* relocating *',
'* relocation *',
'* moving *'
)
or strings.ilike(body.current_thread.text,
'* give away*',
'* generously offering *',
'*a loving home*',
'*find a new home *',
'*rehome these instruments *'
)
// generally someone died
or regex.icontains(body.current_thread.text,
'inherited instruments',
'late (?:husband|father|dad|wife|mother|mom)',
'(?:husband|father|dad|wife|mother|mom)[^\r\n]{0,50}estate'
)
// passion/love for the item
or strings.ilike(body.current_thread.text,
'* genuinely cherish *',
'* cherished possessions *',
'* passionate instrument *',
'* had a passion for music *'
)
)
and (
// it talks about a shipping fee upfront
regex.icontains(body.current_thread.text,
'shipping (?:fee|cost|arrangement)',
'(?:responsible|pay) for shipping',
'no (?:local\s)?pick.?up',
'delivery only',
'moving company'
)
or strings.ilike(body.current_thread.text,
'* if you will take it *',
'* or have someone *',
'* indicate your interest *',
'* to someone you know*',
'* someone you know would *'
)
or regex.icontains(body.current_thread.text,
'if you (?:will be|are) interested',
'who (?:will|would) appreciate'
)
or (
// there's an email in the body
regex.contains(body.current_thread.text,
"[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\.[A-Za-z]{2,}"
)
// and it's likely a freemail
and any($free_email_providers,
strings.icontains(body.current_thread.text, .)
)
)
// reply-to doesn't match sender
or (
length(headers.reply_to) > 0
and sender.email.email not in map(headers.reply_to, .email.email)
)
// there are no recipients
or length(recipients.to) == 0
// redirects to a phone number
or regex.icontains(body.current_thread.text,
'(?:call|contact|text)[^\r\n]{0,50} at'
)
or regex.icontains(body.current_thread.text,
'(?:private|personal) (?:e-?)?mail'
)
or strings.icontains(body.current_thread.text, ' kindly ')
)
)
or (
any(attachments,
(
// items and brands
// Guitars
regex.icontains(file.parse_text(.).text,
'(?:Gibson|Fender|Lowden|Martin|Taylor|Ibanez)\s*[^\r\n]{0,50}\s*guitar',
)
// Piano/Keyboards
or regex.icontains(file.parse_text(.).text,
'(?:Yamaha|Kawai|Baldwin|Roland|Stei?nway(?: (?:&|and) Sons?)?)\s*[^\r\n]{0,50}(?:baby.grand|piano|baby.grand.piano|keyboard)',
)
// Violins & Orchestral
or regex.icontains(file.parse_text(.).text,
'(?:Stradivarius|Guarneri|Yamaha|Stentor|Eastman|Cremona|Cecilio|Mendini)\s*[^\r\n]{0,50}(violin|viola|cello|celli)',
)
// brass/wind/woodwinds
or regex.icontains(file.parse_text(.).text,
'(?:Bach|Yamaha|Selmer|Conn|King|Jupiter|Buffet Crampon |Pearl)\s*[^\r\n]{0,50}(trombone|trumpet|saxophone|clarinet|flute)'
)
// generic
or strings.ilike(file.parse_text(.).text,
'* musical instruments *',
'* instrument as a gift*'
)
)
and (
// often a person is moving
strings.ilike(file.parse_text(.).text,
'* downsizing *',
'* relocating *',
'* relocation *',
'* moving *'
)
or strings.ilike(file.parse_text(.).text,
'* give away*',
'* generously offering *',
'*a loving home*',
'*find a new home *',
'*rehome these instruments *'
)
// generally someone died
or regex.icontains(file.parse_text(.).text,
'inherited instruments',
'late (?:husband|father|dad|wife|mother|mom)',
'(?:husband|father|dad|wife|mother|mom)[^\r\n]{0,50}estate'
)
// passion/love for the item
or strings.ilike(file.parse_text(.).text,
'* genuinely cherish *',
'* cherished possessions *',
'* passionate instrument *',
'* had a passion for music *'
)
)
and (
// it talks about a shipping fee upfront
regex.icontains(file.parse_text(.).text,
'shipping (?:fee|cost|arrangement)',
'(?:responsible|pay) for shipping',
'no (?:local\s)?pick.?up',
'delivery only',
'moving company'
)
or strings.ilike(file.parse_text(.).text,
'* if you will take it *',
'* or have someone *',
'* indicate your interest *',
'* to someone you know*',
'* someone you know would *'
)
or regex.icontains(file.parse_text(.).text,
'if you (?:will be|are) interested',
'who (?:will|would) appreciate'
)
or (
// there's an email in the attachment
regex.contains(file.parse_text(.).text,
"[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\.[A-Za-z]{2,}"
)
// and it's likely a freemail
and any($free_email_providers,
strings.icontains(file.parse_text(..).text, .)
)
)
// reply-to doesn't match sender
or (
length(headers.reply_to) > 0
and sender.email.email not in map(headers.reply_to, .email.email)
)
// there are no recipients
or length(recipients.to) == 0
// redirects to a phone number
or regex.icontains(file.parse_text(.).text,
'(?:call|contact|text)[^\r\n]{0,50} at'
)
or regex.icontains(file.parse_text(.).text,
'(?:private|personal) (?:e-?)?mail'
)
or strings.icontains(file.parse_text(.).text, ' kindly ')
)
)
)
)
// not high trust sender domains
and not (
sender.email.domain.root_domain in $high_trust_sender_root_domains
and headers.auth_summary.dmarc.pass
)
// person provides piano lessons and offers to give a Roland baby-grand away
and not sender.email.domain.root_domain == 'ridleyacademy.com'
Playground
Test against your own EMLs or sample data.