Creating a rule from a runner to look for suspected thread hijacking and financial motivation

detection-rules/thread_hijack_domain_spoofing_with_financial_content.yml

@@ -0,0 +1,48 @@
+name: "Thread hijacking: Domain spoofing with financial content"
+description: "Detects messages that appear to be part of an existing email thread but originate from a different domain than previous participants, combined with suspicious sender characteristics and financial content indicators."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and (
+    // message is part of an existing thread
+    length(headers.references) > 0
+    or headers.in_reply_to is not null
+  )
+  and (
+    // domain spoofing: sender domain differs from domains in thread history
+    any(body.previous_threads,
+        any(regex.iextract(.preamble, '<([^>]+@[^>]+)>'),
+            strings.parse_email(.groups[0]).domain.root_domain != sender.email.domain.root_domain
+        )
+    )
+  )
+  and (
+    // suspicious sender characteristics
+    sender.email.domain.tld in $suspicious_tlds
+    or sender.email.domain.domain in $free_email_providers
+  )
+  and (
+    // financial/business content indicators
+    regex.icontains(body.current_thread.text,
+                    '(bank|payment|transaction|invoice|swift|wire|transfer|account|financial|money|usd|dollar)'
+    )
+  )
+  and (
+    // standard reputation checks
+    not profile.by_sender().solicited
+    or profile.by_sender().any_messages_malicious_or_spam
+  )
+  and not profile.by_sender().any_messages_benign
+
+attack_types:
+  - "BEC/Fraud"
+tactics_and_techniques:
+  - "Social engineering"
+  - "Spoofing"
+  - "Free email provider"
+detection_methods:
+  - "Content analysis"
+  - "Header analysis"
+  - "Sender analysis"
+id: "7428de53-7b52-5ef5-81ba-c537e94a5711"