anti/DECNET
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
457e2d990c5a12fca61d6d0b2d41771ee762e88e
DECNET/rules/ttp/R0047.yaml
anti 1ad15470a1 feat(ttp): E.3.8 R0041-R0048 email cohort 
8 YAMLs for the email cohort per Appendix B: open-relay abuse,
mass phishing, phishing-kit X-Mailer signatures, IDN/punycode
URLs, sender masquerade, malicious attachment, BEC, encoded
payload in body. EmailLifter (E.3.12) consumes by rule_id.

test_email_rules.py: YAML-present + inert-in-v0 + xfail(strict)
precision case gated on E.3.12.
2026-05-01 09:19:56 -04:00

32 lines
643 B
YAML
Raw Blame History

rule_id: R0047
rule_version: 1
name: bec_pattern
description: |
Business email compromise: urgent-wire / CEO-impersonation
language + a request-for-action shape (gift cards, wire,
payroll change). Subject + body composite signal.
applies_to:
- email
match:
kind: lifter:email_bec
subject_keywords:
- urgent
- wire
- invoice
- payroll
- gift card
body_action_keywords:
- send
- transfer
- update banking
- confidential
emits:
- tactic: TA0001
technique_id: T1566
sub_technique_id: T1566.003
confidence: 0.85
evidence_fields:
- subject
- matched_subject_kw
- matched_body_kw
Reference in New Issue View Git Blame Copy Permalink