[PR #3463] added rule: Spam: Website errors solicitation

Author: github-actions[bot]

detection-rules/3463_spam_website_errors_solicitation.yml

@@ -0,0 +1,71 @@
+name: "Spam: Website errors solicitation"
+description: "This rule detects messages claiming to have identified errors on a website. The messages typically offer to send pricing or information upon request."
+type: "rule"
+severity: "low"
+source: |
+  type.inbound
+  and (
+    sender.email.email not in $recipient_emails
+    or not profile.by_sender().solicited
+  )
+  and 1 of (
+    // Single thread message groups
+    (
+      length(attachments) == 0
+      and length(body.links) == 0
+      and length(body.previous_threads) == 0
+      and 20 < length(body.current_thread.text) < 500
+      and regex.icontains(body.current_thread.text, "screenshot|error list|plan")
+      and regex.icontains(body.current_thread.text, ".*(hi|hello|hey)")
+      and regex.icontains(body.current_thread.text, ".*(error|report|issues)")
+      and regex.icontains(body.current_thread.text, ".*(site|website)")
+      and regex.icontains(subject.subject,
+                          ".*(proposal|cost|report|error|audit|screenshot)"
+      )
+    ),
+    // Single thread message groups but with 1 unsubscribe link or link is recipient
+    (
+      length(attachments) == 0
+      and length(body.links) == 1
+      and (
+        regex.icontains(body.html.raw, "mailto:*[++unsubscribe@]")
+        or any(body.links, .href_url.domain.root_domain in~ $org_domains)
+      )
+      and length(body.previous_threads) == 0
+      and 20 < length(body.current_thread.text) < 500
+      and regex.icontains(body.current_thread.text, "screenshot|error list|plan")
+      and regex.icontains(body.current_thread.text, ".*(hi|hello|hey)")
+      and regex.icontains(body.current_thread.text, ".*(error|report|issues)")
+      and regex.icontains(body.current_thread.text, ".*(site|website)")
+      and regex.icontains(subject.subject,
+                          ".*(proposal|cost|report|error|audit|screenshot)"
+      )
+    ),
+    // Multiple thread message groups
+    (
+      length(attachments) == 0
+      and length(body.links) == 0
+      and length(body.previous_threads) < 5
+      and regex.icontains(subject.subject, ".*(proposal|cost|report|error|audit)")
+      and any(body.previous_threads,
+              length(.text) < 400
+              and regex.icontains(.text, '.*(hey|hi|hello)')
+              and regex.icontains(.text, '.*(\berror(?:\s+list)?\b|screenshot|report|plan)')
+              and strings.count(.text, "?") >= 3
+              and ml.nlu_classifier(.text).language == "english"
+      )
+    )
+  )
+
+tags:
+  - "Attack surface reduction"
+attack_types:
+  - "Spam"
+detection_methods:
+  - "Content analysis"
+  - "Sender analysis"
+  - "Natural Language Understanding"
+id: "c2e6061d-ac16-508e-8014-c50e8080ae4b"
+og_id: "122ea794-f619-5f29-acb2-83261d8f81fc"
+testing_pr: 3463
+testing_sha: 287facbb7b331548169f10426a19f23a8c0bcdd0