[PR #3564] added rule: Suspicious request for financial information

github-actions[bot] · github-actions[bot] · commit e393b8030af7 · 2025-11-20T21:30:57.000Z
diff --git a/detection-rules/3564_suspicious_request_financial.yml b/detection-rules/3564_suspicious_request_financial.yml
@@ -0,0 +1,101 @@
+name: "Suspicious request for financial information"
+description: "Email is from a suspicious sender and contains a request for financial information, such as AR reports."
+type: "rule"
+severity: "high"
+source: |
+  type.inbound
+  and length(attachments) <= 1
+  and length(recipients.to) <= 2
+  // suspicious sender
+  and (
+    (
+      length(headers.reply_to) > 0
+      and all(headers.reply_to,
+              .email.domain.root_domain != sender.email.domain.root_domain
+              and .email.domain.root_domain not in $org_domains
+      )
+    )
+    or sender.email.domain.root_domain in $free_email_providers
+    or profile.by_sender().days_known < 3
+  )
+  // specific financial language
+  and (
+    regex.icontains(subject.subject,
+                    '\b(Aged|Age?ing) (Payables|Receivables|Report)',
+                    'reconcill?iation (report|statement).*(issued (settlement|advice)s?)|billing records?'
+    )
+    or (
+      regex.icontains(body.current_thread.text,
+                      '\b(Aged|Age?ing) (Payables|Receivables|Report)',
+                      '(updated|recent) (\bAR\b|\b\AP\b|\bAR\b \& \bAP\b|accounts?) (Payables|Receivables|Reports)',
+                      '(send|forward|provide).*remittance (advice|statements?)'
+      )
+      or strings.icontains(body.current_thread.text,
+                           "copy of a current statement"
+      )
+      or (
+        strings.icontains(body.current_thread.text, "please send all past due")
+        and strings.icontains(body.current_thread.text, "current invoices")
+      )
+    )
+    // suspicious link display text
+    or (
+      any(body.links,
+          regex.icontains(.display_text,
+                          '(Payment|Remittance|Settlement|Transfer) ?Batch',
+          )
+      )
+    )
+    // suspicious sender display name
+    or (
+      regex.icontains(sender.display_name,
+                      'Accounts? (?:Payable (?:Dep(\.|t\.?|artment)|e?Receipt)|(Co[[:punct:]]?ordinator|Admin|Manager|Payee))',
+                      '(?:pay(ment|([[:punct:]]|\s?)app)|EFT|ACH|deposit|remit|settle) (noti(ce|fication)|confirm(ation)?)'
+      )
+      // sender email listed as a recipient or recipients undisclosed/null
+      and (
+        (
+          sender.email.email in map(recipients.to, .email.email)
+          or (length(recipients.to) == 0 or length(recipients.to) is null)
+        )
+        // non-benign nlu intent 
+        or any(ml.nlu_classifier(body.current_thread.text).intents,
+               // callback phishing is outside the scope of this rule
+               (.name != "benign" and .name != "callback_scam")
+        )
+      )
+    )
+  )
+  // negate resume related/job inquiry outreach 
+  and not (
+    any(ml.nlu_classifier(body.current_thread.text).topics,
+        .name == "Professional and Career Development" and .confidence == "high"
+    )
+    and any(ml.nlu_classifier(body.current_thread.text).intents,
+            .name == "benign" and .confidence != "low"
+    )
+  )
+  and (
+    (
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
+      and not headers.auth_summary.dmarc.pass
+    )
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
+  )
+  and not profile.by_sender().any_messages_benign
+
+attack_types:
+  - "BEC/Fraud"
+tactics_and_techniques:
+  - "Free email provider"
+  - "Impersonation: Employee"
+  - "Impersonation: VIP"
+  - "Social engineering"
+detection_methods:
+  - "Content analysis"
+  - "Header analysis"
+  - "Sender analysis"
+id: "2f079cc3-c484-54b3-88a3-c4ee73d266d1"
+og_id: "4ebdaa4d-4db2-56c6-9a6c-220ad49b7681"
+testing_pr: 3564
+testing_sha: c90784669e1e4334f63ea55915aa7353dda3c593
