
Summary
This detection rule targets generic scams in email communications, specifically those sent to undisclosed recipients. It employs a multifaceted approach to identify potential fraud by analyzing various components of incoming emails, including the email body and header information. The detection begins by checking if the recipients' fields include undisclosed recipients, indicating a higher risk of spam or scam tactics. The analysis further examines the sender’s email domain against a list of high-trust sender domains, ensuring emails from potentially malicious domains aren't overlooked due to a false sense of security. The rule also tracks discrepancies between the sender's address and the 'Reply-to' field to identify potential impersonation attempts. It includes language analysis capabilities to detect generic greetings like “sir” or “madam” in the body of the email and looks for explicit requests which may signal a scam. The overarching goal is to separate legitimate emails from malicious ones, specifically avoiding false positives from trusted domains unless they fail DMARC authentication. This comprehensive analysis employs content, header, sender, and natural language understanding methodologies to mitigate business email compromise risks.
Categories
- Endpoint
- Cloud
- Web
- Identity Management
Data Sources
- User Account
- Application Log
- Network Traffic
Created: 2023-11-22