sublime-security · IndiaAce · Oct 22, 2025 · Oct 22, 2025 · Oct 22, 2025
@@ -0,0 +1,84 @@
+name: "BEC: Banking verification certificate with payment hold request"
+description: "Detects business email compromise targeting financial operations using banking certificates or verification documents combined with payment hold instructions. The rule identifies suspicious attachments with banking-related filenames, body content requesting payment delays or system updates for banking details, and various sender reputation indicators including uncommon TLDs, mismatched domains, or potential thread hijacking patterns."
+type: "rule"
+severity: "high"
+source: |
+  type.inbound
+  and (
+    (
+      length(attachments) > 0
+      and (
+        any(attachments,
+          (
+            strings.ilike(.file_name, "*bank*certificate*")
+            or strings.ilike(.file_name, "*bank*confirmation*")  
+            or strings.ilike(.file_name, "*bank*ownership*")
+            or strings.ilike(.file_name, "*verification*certificate*")
+            or strings.ilike(.file_name, "*ownership*certificate*")
+            or strings.ilike(.file_name, "*bank*verification*")
+            or strings.ilike(.file_name, "*banking*certificate*")
+          )
+          and .file_type in ("pdf", "doc", "docx", "jpg", "png")
+        )
+      )
+    )
+    or (
+      regex.icontains(body.current_thread.text, 
+        '(bank\s+(ownership|verification|confirmation)\s+(certificate|letter|document))'
+      )
+      or regex.icontains(body.current_thread.text,
+        '(ownership\s+certificate|verification\s+(certificate|document))'
+      )
+    )
+  )
+  and (
+    regex.icontains(body.current_thread.text,
+      '(save\s+it\s+in\s+your\s+system|for\s+all\s+USD\s+transactions|hold\s+on\s+with\s+.*payment|experiencing\s+.*discrepancies|tax.related\s+issues|finance\s+director|new\s+(bank|banking)\s+(account|details))'
+    )
+    or (
+      regex.icontains(body.current_thread.text, '(kindly|please).*(hold|wait).*payment')
+      and regex.icontains(body.current_thread.text, '(bank|banking|USD|finance)')
+    )
+  )
+  and (
+    (
+      length(headers.domains) > 0
+      and any(headers.domains, .root_domain != sender.email.domain.root_domain)
+    )
+    or (
+      sender.email.domain.tld not in ("com", "org", "net", "edu", "gov")
+    )
+    or (
+      any(body.links,
+        .href_url.domain.root_domain != sender.email.domain.root_domain
+        and .href_url.domain.root_domain not in $tranco_1m
+      )
+    )
+    // Thread hijacking detection: previous threads show legitimate domains while current uses suspicious TLD
+    or (
+      length(body.previous_threads) > 0
+      and any(body.previous_threads,
+        // Look for common legitimate TLDs in previous thread emails
+        regex.contains(.preamble, '@[a-zA-Z0-9.-]+\\.(com|org|net)>')
+      )
+      and sender.email.domain.tld not in ("com", "org", "net", "edu", "gov")
+      and not strings.icontains(body.previous_threads[0].preamble, sender.email.domain.root_domain)
+    )
+  )
+
+
+attack_types:
+  - "BEC/Fraud"
+tactics_and_techniques:
+  - "Social engineering"
+  - "Impersonation: Employee"
+  - "PDF"
+  - "Evasion"
+detection_methods:
+  - "Content analysis"
+  - "File analysis"
+  - "Header analysis"
+  - "Sender analysis"
+  - "Threat intelligence"
+  - "URL analysis"
+id: "7ce1e327-1452-5d9c-9b0b-818d67f3e53c"