From f3a80bfa1ff18b4e8b3e8db7b82f6416c32250bf Mon Sep 17 00:00:00 2001
From: Luke Wescott <69780712+IndiaAce@users.noreply.github.com>
Date: Wed, 22 Oct 2025 11:03:55 -0400
Subject: [PATCH 1/3] Create
 bec_fake_banking_verification_with_payment_hold.yml

---
 ...banking_verification_with_payment_hold.yml | 87 +++++++++++++++++++
 1 file changed, 87 insertions(+)
 create mode 100644 detection-rules/bec_fake_banking_verification_with_payment_hold.yml

diff --git a/detection-rules/bec_fake_banking_verification_with_payment_hold.yml b/detection-rules/bec_fake_banking_verification_with_payment_hold.yml
new file mode 100644
index 00000000000..56326291bc5
--- /dev/null
+++ b/detection-rules/bec_fake_banking_verification_with_payment_hold.yml
@@ -0,0 +1,87 @@
+name: "BEC: Banking verification certificate with payment hold request"
+description: "Detects business email compromise targeting financial operations using banking certificates or verification documents combined with payment hold instructions. The rule identifies suspicious attachments with banking-related filenames, body content requesting payment delays or system updates for banking details, and various sender reputation indicators including uncommon TLDs, mismatched domains, or potential thread hijacking patterns."
+type: "rule"
+severity: "high"
+source: |
+  type.inbound
+  and (
+    (
+      length(attachments) > 0
+      and (
+        any(attachments,
+          (
+            strings.ilike(.file_name, "*bank*certificate*")
+            or strings.ilike(.file_name, "*bank*confirmation*")  
+            or strings.ilike(.file_name, "*bank*ownership*")
+            or strings.ilike(.file_name, "*verification*certificate*")
+            or strings.ilike(.file_name, "*ownership*certificate*")
+            or strings.ilike(.file_name, "*bank*verification*")
+            or strings.ilike(.file_name, "*banking*certificate*")
+          )
+          and .file_type in ("pdf", "doc", "docx", "jpg", "png")
+        )
+      )
+    )
+    or (
+      regex.icontains(body.current_thread.text, 
+        '(bank\s+(ownership|verification|confirmation)\s+(certificate|letter|document))'
+      )
+      or regex.icontains(body.current_thread.text,
+        '(ownership\s+certificate|verification\s+(certificate|document))'
+      )
+    )
+  )
+  and (
+    regex.icontains(body.current_thread.text,
+      '(save\s+it\s+in\s+your\s+system|for\s+all\s+USD\s+transactions|hold\s+on\s+with\s+.*payment|experiencing\s+.*discrepancies|tax.related\s+issues|finance\s+director|new\s+(bank|banking)\s+(account|details))'
+    )
+    or (
+      regex.icontains(body.current_thread.text, '(kindly|please).*(hold|wait).*payment')
+      and regex.icontains(body.current_thread.text, '(bank|banking|USD|finance)')
+    )
+  )
+  and (
+    sender.email.domain.root_domain not in $recipient_domains
+    and sender.email.domain.root_domain not in $tranco_1m
+  )
+  and (
+    (
+      length(headers.domains) > 0
+      and any(headers.domains, .root_domain != sender.email.domain.root_domain)
+    )
+    or (
+      sender.email.domain.tld not in ("com", "org", "net", "edu", "gov")
+    )
+    or (
+      any(body.links,
+        .href_url.domain.root_domain != sender.email.domain.root_domain
+        and .href_url.domain.root_domain not in $tranco_1m
+      )
+    )
+    // Thread hijacking detection: previous threads show legitimate domains while current uses suspicious TLD
+    or (
+      length(body.previous_threads) > 0
+      and any(body.previous_threads,
+        // Look for common legitimate TLDs in previous thread emails
+        regex.contains(.preamble, '@[a-zA-Z0-9.-]+\\.(com|org|net)>')
+      )
+      and sender.email.domain.tld not in ("com", "org", "net", "edu", "gov")
+      and not strings.icontains(body.previous_threads[0].preamble, sender.email.domain.root_domain)
+    )
+  )
+  
+
+attack_types:
+  - "BEC/Fraud"
+tactics_and_techniques:
+  - "Social engineering"
+  - "Impersonation: Employee"
+  - "PDF"
+  - "Evasion"
+detection_methods:
+  - "Content analysis"
+  - "File analysis"
+  - "Header analysis"
+  - "Sender analysis"
+  - "Threat intelligence"
+  - "URL analysis"

From ad9b7837c3720718a410203d0114585628df01a7 Mon Sep 17 00:00:00 2001
From: Luke Wescott <69780712+IndiaAce@users.noreply.github.com>
Date: Wed, 22 Oct 2025 11:15:36 -0400
Subject: [PATCH 2/3] Update
 bec_fake_banking_verification_with_payment_hold.yml

---
 .../bec_fake_banking_verification_with_payment_hold.yml       | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/detection-rules/bec_fake_banking_verification_with_payment_hold.yml b/detection-rules/bec_fake_banking_verification_with_payment_hold.yml
index 56326291bc5..125541219fc 100644
--- a/detection-rules/bec_fake_banking_verification_with_payment_hold.yml
+++ b/detection-rules/bec_fake_banking_verification_with_payment_hold.yml
@@ -40,10 +40,6 @@ source: |
       and regex.icontains(body.current_thread.text, '(bank|banking|USD|finance)')
     )
   )
-  and (
-    sender.email.domain.root_domain not in $recipient_domains
-    and sender.email.domain.root_domain not in $tranco_1m
-  )
   and (
     (
       length(headers.domains) > 0

From b251940bcf4d8cdcd3c9395bea2a5cd44852f8d7 Mon Sep 17 00:00:00 2001
From: ID Generator <hello@sublimesecurity.com>
Date: Wed, 22 Oct 2025 15:43:07 +0000
Subject: [PATCH 3/3] Auto add rule ID

---
 .../bec_fake_banking_verification_with_payment_hold.yml          | 1 +
 1 file changed, 1 insertion(+)

diff --git a/detection-rules/bec_fake_banking_verification_with_payment_hold.yml b/detection-rules/bec_fake_banking_verification_with_payment_hold.yml
index 125541219fc..e4e26f58442 100644
--- a/detection-rules/bec_fake_banking_verification_with_payment_hold.yml
+++ b/detection-rules/bec_fake_banking_verification_with_payment_hold.yml
@@ -81,3 +81,4 @@ detection_methods:
   - "Sender analysis"
   - "Threat intelligence"
   - "URL analysis"
+id: "7ce1e327-1452-5d9c-9b0b-818d67f3e53c"