From dc3f8ccfc4c3e5290eca35f16cfa3b8e6eaae258 Mon Sep 17 00:00:00 2001
From: Bryan Campbell <8331265+brycampbell@users.noreply.github.com>
Date: Tue, 29 Jul 2025 18:07:48 +0100
Subject: [PATCH 1/2] Create spam_emoji_cash_lures.yml

---
 detection-rules/spam_emoji_cash_lures.yml | 30 +++++++++++++++++++++++
 1 file changed, 30 insertions(+)
 create mode 100644 detection-rules/spam_emoji_cash_lures.yml

diff --git a/detection-rules/spam_emoji_cash_lures.yml b/detection-rules/spam_emoji_cash_lures.yml
new file mode 100644
index 00000000000..e1e5cbce2d6
--- /dev/null
+++ b/detection-rules/spam_emoji_cash_lures.yml
@@ -0,0 +1,30 @@
+name: "Display Name Emoji with Financial Symbols"
+description: "Detects messages where the sender's display name contains emoji characters alongside financial symbols ($ £ € ¥ ₿) in the subject line. The sender's domain is not present in the Alexa top 1 million sites and has DMARC authentication issues."
+type: "rule"
+severity: "low"
+source: |
+  // Hunt for emails with emoji in sender display name and financial symbols in subject
+  type.inbound
+  // Check for emoji in sender display name using Unicode ranges
+  and regex.contains(sender.display_name,
+                     '[\x{1F600}-\x{1F64F}]|[\x{1F300}-\x{1F5FF}]|[\x{1F680}-\x{1F6FF}]|[\x{1F1E0}-\x{1F1FF}]|[\x{2600}-\x{26FF}]|[\x{2700}-\x{27BF}]'
+  )
+  // Check for financial symbols in subject
+  and regex.contains(subject.subject, '[\$£€¥₿]')
+  
+    and (
+      headers.auth_summary.dmarc.pass is null
+      or headers.auth_summary.dmarc.pass == false
+    )
+    and sender.email.domain.root_domain not in $alexa_1m
+
+attack_types:
+  - "BEC/Fraud"
+  - "Callback Phishing"
+tactics_and_techniques:
+  - "Social engineering"
+  - "Evasion"
+detection_methods:
+  - "Content analysis"
+  - "Header analysis"
+  - "Sender analysis"

From 3ecc9b95b074bdeb0ab7cc3dbb6f43d55e109a86 Mon Sep 17 00:00:00 2001
From: ID Generator <hello@sublimesecurity.com>
Date: Tue, 29 Jul 2025 17:12:10 +0000
Subject: [PATCH 2/2] Auto add rule ID

---
 detection-rules/spam_emoji_cash_lures.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/detection-rules/spam_emoji_cash_lures.yml b/detection-rules/spam_emoji_cash_lures.yml
index e1e5cbce2d6..3e310933ee7 100644
--- a/detection-rules/spam_emoji_cash_lures.yml
+++ b/detection-rules/spam_emoji_cash_lures.yml
@@ -28,3 +28,4 @@ detection_methods:
   - "Content analysis"
   - "Header analysis"
   - "Sender analysis"
+id: "f316f335-51ac-5ead-a059-53fdcb0cb50c"