• Sublime Core Feed
High Severity

Suspicious Request for Financial Information

Labels

BEC/Fraud
Free email provider
Impersonation: Employee
Impersonation: VIP
Social engineering
Content analysis
Header analysis
Sender analysis

Description

Email is from a suspicious sender and contains a request for financial information, such as AR reports.

References

No references.

Sublime Security
Created Nov 14th, 2024 • Last updated Nov 25th, 2024
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
// no attachments
and length(attachments) == 0
// direct to recipient
and length(recipients.to) == 1
// suspicious sender
and (
  (
    length(headers.reply_to) > 0
    and all(headers.reply_to,
            .email.domain.root_domain != sender.email.domain.root_domain
            and .email.domain.root_domain not in $org_domains
    )
  )
  or sender.email.domain.root_domain in $free_email_providers
  or profile.by_sender().days_known < 3
)
// specific financial language
and (
  regex.icontains(subject.subject,
                  '\b(Aged|Age?ing) (Payables|Receivables|Report)'
  )
  or regex.icontains(body.current_thread.text,
                     '\b(Aged|Age?ing) (Payables|Receivables|Report)',
                     'updated (\bAR\b|accounts? (Payables|Receivables))'
  )
)
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and not profile.by_sender().any_false_positives
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started