
Summary
This rule detects Business Email Compromise (BEC) attempts by inbound messages impersonating leadership development coaching vendors. It triggers on inbound thread content that references coaching/executive services and includes financial signaling such as invoices or W-9 forms. The detection uses a layered approach: (1) exact string and regex patterns to surface brand-related terms (eg ezra, hesion; better up; coach hub) and explicit references to leadership development coaching; (2) a natural language understanding (NLU) classifier to identify topics within the message related to financial communications, payment information, or invoice viewing with high confidence, coupled with an intent named bec; and (3) an inbound source constraint ensuring the message originates from the expected inbound flow. When these conditions are met, the rule flags potential BEC. Detection methods include content analysis, HTML analysis, and natural language understanding. The rule is categorized under BEC/Fraud with tactics that include impersonation of a brand and social engineering. Potential false positives may arise from legitimate discussions about executive coaching or invoices; tuning should consider sender context, vendor whitelisting/blacklisting, and cross-checks with payment workflows or invoice approvals to reduce noise.
Categories
- Endpoint
- Web
Data Sources
- Process
- Application Log
Created: 2026-07-01