Skip to content

Create fake_ooo_urgent_financial_request.yml #3717

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
IndiaAce wants to merge 6 commits into
base: main
Choose a base branch
from
Open

Create fake_ooo_urgent_financial_request.yml #3717

Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
c9e8ef9
Create fake_ooo_urgent_financial_request.yml
IndiaAce Dec 29, 2025
bc7ca33
Auto add rule ID
Dec 29, 2025
12103f1
Merge branch 'main' into lwescott-ESC-3925-create_fake_ooo_urgent_fin…
aidenmitchell Jan 12, 2026
cc28d74
Auto-format MQL and add rule IDs
Jan 12, 2026
bd3cf37
changing string matching to nlu checks
IndiaAce Jan 14, 2026
f0b8052
adding some gates for requests for payment
IndiaAce Jan 16, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
50 changes: 50 additions & 0 deletions detection-rules/fake_ooo_urgent_financial_request.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
name: "Out-of-office auto-reply with urgent financial request from free email provider"
description: "Detects suspicious out-of-office messages from free email providers that contain urgent financial payment requests. These messages combine legitimate auto-reply topics with BEC indicators including urgency, financial terms, and payment processing language to appear trustworthy while requesting financial actions."
type: "rule"
severity: "low"
source: |
type.inbound
and sender.email.domain.root_domain in~ $free_email_providers
and length(body.previous_threads) == 0
and length(body.current_thread.text) < 500
and not subject.is_reply
and not subject.is_forward

// out-of-office topic
and any(ml.nlu_classifier(body.current_thread.text).topics,
.name == "Out of Office and Automatic Replies"
)
// urgent and financial entities
and (
(
any(ml.nlu_classifier(body.current_thread.text).entities,
.name == "urgency"
)
and any(ml.nlu_classifier(body.current_thread.text).entities,
.name == "financial"
)
)
// or high confidence in bec/cred_theft/callback_scam
or any(ml.nlu_classifier(body.current_thread.text).intents,
.name in ("bec", "cred_theft", "callback_scam")
and .confidence != "low"
)
)
and (
strings.icontains(body.current_thread.text, "handle the payment")
or strings.icontains(body.current_thread.text, "process the invoice")
or strings.icontains(body.current_thread.text, "expense payment")
or strings.icontains(body.current_thread.text, "payment during")
)
attack_types:
- "BEC/Fraud"
tactics_and_techniques:
- "Free email provider"
- "Impersonation: Employee"
- "Social engineering"
detection_methods:
- "Content analysis"
- "Header analysis"
- "Natural Language Understanding"
- "Sender analysis"
id: "5c9fc8ab-84d7-5bf3-a044-101529ef0d9a"
Loading