Sync from PR#2916

Sublime Rule Testing Bot · Sublime Rule Testing Bot · commit e59d4ac887df · 2025-07-09T21:33:22.000Z
Create spam_financial_preapproval_link.yml by @aidenmitchell #2916 Source SHA 4f7338c Triggered by @aidenmitchell
diff --git a/detection-rules/2916_spam_financial_preapproval_link.yml b/detection-rules/2916_spam_financial_preapproval_link.yml
@@ -0,0 +1,55 @@
+name: "Spam: Financial Pre-Approval Language With Link"
+description: "Detects suspicious financial communications containing pre-approval language and links with capitalized display text from untrusted or DMARC-failing senders who have no prior benign message history."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and (
+    (
+      any(beta.ml_topic(body.current_thread.text).topics,
+          .name == "Financial Communications" and .confidence != "low"
+      )
+      and regex.icontains(body.current_thread.text,
+                          '\bpre-approved\b',
+                          '\blimit\b'
+      )
+    )
+    or (
+      any(beta.ml_topic(beta.ocr(beta.message_screenshot()).text).topics,
+          .name == "Financial Communications" and .confidence != "low"
+      )
+      and regex.icontains(beta.ocr(beta.message_screenshot()).text,
+                          '\bpre-approved\b',
+                          '\blimit\b'
+      )
+    )
+  )
+  and any(body.links, regex.match(.display_text, '[A-Z ]+'))
+  // negate highly trusted sender domains unless they fail DMARC authentication
+  and (
+    (
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
+      and not headers.auth_summary.dmarc.pass
+    )
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
+  )
+  and not profile.by_sender().any_messages_benign
+tags:
+  - "Attack surface reduction"
+attack_types:
+  - "BEC/Fraud"
+  - "Spam"
+tactics_and_techniques:
+  - "Social engineering"
+  - "Impersonation: Brand"
+detection_methods:
+  - "Computer Vision"
+  - "Content analysis"
+  - "Header analysis"
+  - "Natural Language Understanding"
+  - "Optical Character Recognition"
+  - "Sender analysis"
+id: "bd235d3b-f2c1-52f7-21ae-ed11d7ad9feb"
+og_id: "f6fefa07-1eb6-5573-b57e-a3333a480ac6"
+testing_pr: 2916
+testing_sha: 4f7338c6d7c5d2585fd83301895b88c7560e1e39
