Scam: Fake estate sale offering welding equipment and tools

Severity: high
Type: rule
Source: github.com/sublime-security/sublime-rules

Detects fraudulent messages impersonating someone selling inherited or estate items, specifically targeting welding equipment, power tools, and machinery. These messages typically claim items are from a deceased relative's estate or due to relocation, require shipping arrangements, and use emotional manipulation to appear legitimate while requesting contact through alternative channels.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

Category	Values
Attack types	BEC/Fraud
Tactics and techniques	Social engineering, Free email provider, Out of band pivot

Event coverage

Message attribute
body.current_thread
headers (collection)
headers.reply_to (collection)
recipients
sender.email

Rule body MQL

length(body.current_thread.links) < 10
and length(body.current_thread.text) < 3000
and (
  regex.icontains(body.current_thread.text,
                  '(?:Miller|Lincoln\s*Electric|Hobart|ESAB|Fronius|Everlast|Hypertherm|Thermal\s*Dynamics)\s*[^\r\n]{0,50}(?:\bwelder\b|\bwelding\b|\bTIG\b|\bMIG\b|plasma\s*cutter)',
                  '(?:\bwelder\b|\bwelding\b|\bTIG\b|\bMIG\b|plasma\s*cutter)\s*[^\r\n]{0,50}(?:Miller|Lincoln\s*Electric|Hobart|ESAB|Fronius|Everlast|Hypertherm|Thermal\s*Dynamics)'
  )
  or regex.icontains(body.current_thread.text,
                     '(?:Caterpillar|\bCAT\b|John\s*Deere|Kubota|Bobcat|Honda|Generac|Stihl|Husqvarna|\bToro\b)\s*[^\r\n]{0,50}(?:\bgenerator\b|\bchainsaw\b|\bexcavator\b|\bskid\s*steer\b|\btractor\b|\bmower\b|\bloader\b|\bbackhoe\b)'
  )
  or regex.icontains(body.current_thread.text,
                     '(?:welding\s*tools|power\s*tools|tool\s+(?:box|chest|set|kit|collection)|toolbox|toolchest)\s*[^\r\n]{0,50}(?:available|sale|rehome|gift|giving\s*away|free)',
                     '(?:available|sale|rehome|gift|giving\s*away|free)\s*[^\r\n]{0,50}(?:welding\s*tools|power\s*tools|tool\s+(?:box|chest|set|kit|collection)|toolbox|toolchest)'
  )
  or strings.ilike(body.current_thread.text,
                   '*welding tools*',
                   '*tools and accessories*'
  )
  or (
    length(regex.extract(body.current_thread.text,
                         '(?i)(?:generator|refrigerator|trailer|tractor|lawnmower|mower|washer|dryer|freezer|treadmill|peloton|vanity|dresser|couch|sectional|kennel|mattress|bed\s*frame|hot\s*tub|golf\s*cart|tv|gazebo|loveseat|dishwasher|microwave|kitchenaid|rolex|watch|honda|toyota|ford|chevy|jeep|kubota|bobcat|polaris|kawasaki|macbook|iphone|playstation|ps5|xbox|canon|sony|dji|piano|keyboard|guitar|violin)\b[^\r\n]{0,30}(?:\(\s*\d{2,5}\s*\)|\$\s*\d{2,5}|\bfor\s+\$?\d{2,5})'
           )
    ) >= 5
    and regex.icontains(body.current_thread.text,
                        'late (?:husband|father|dad|wife|mother|mom)',
                        '(?:husband|father|dad|wife|mother|mom)[^\r\n]{0,50}estate'
    )
  )
)
and (
  regex.icontains(body.current_thread.text,
                  'late (?:husband|father|dad|wife|mother|mom)',
                  '(?:husband|father|dad|wife|mother|mom)[^\r\n]{0,50}estate',
                  'inherited instruments',
                  'just lost (?:her|his|their) (?:husband|father|dad|wife|mother|mom)'
  )
  or strings.ilike(body.current_thread.text,
                   '* downsizing *',
                   '* relocating soon *',
                   '* to relocate *',
                   '*prepares to relocate*',
                   '*relocate with*family*'
  )
  or strings.ilike(body.current_thread.text,
                   '*sponsored*giveaway*',
                   '*giveaway*sponsored*',
                   '* generously offering *',
                   '* generous offer *',
                   '*a loving home*',
                   '*a good home*',
                   '*find a new home *',
                   '*rehome these instruments *',
                   '* free donation*'
  )
  or regex.icontains(body.current_thread.text,
                     'giv\w+\s+away\s+(?:her|his|their|my|our)\s+(?:late|deceased|dad|father|mother|husband|wife)',
                     'giv\w+\s+away\s+(?:her|his|their|my|our)[^\r\n]{0,40}(?:tool|welder|welding|equipment|instrument|machine)'
  )
  or strings.ilike(body.current_thread.text,
                   '*generous opportunity*',
                   '*who needs a reliable*',
                   '*comprehensive set of tools*',
                   '*top-of-the-line machine*'
  )
)
and (
  regex.icontains(body.current_thread.text,
                  'shipping (?:fee|cost|arrangement)',
                  '(?:responsible|pay) for shipping',
                  'no (?:local\s)?pick.?up',
                  '(?:local\s)?pick.?up.{0,50}not available',
                  'delivery only',
                  'moving company'
  )
  or strings.ilike(body.current_thread.text,
                   '* if you will take it *',
                   '* or have someone *',
                   '* indicate your interest *',
                   '* to someone you know *',
                   '* know someone who *',
                   '* someone you know would *',
                   '* someone who will *',
                   '* someone who truly *',
                   '* anyone you know *'
  )
  or regex.icontains(body.current_thread.text,
                     'if you[^\r\n]{0,20}(?:(?:might|will|would) be|are)[^\r\n]{0,20}interested',
                     '(?:any|some)one[^\r\n]{0,20}(is|will|would|might be)[^\r\n]{0,20}interested',
                     'who (?:will|would|might) appreciate'
  )
  or (
    any(regex.extract(body.current_thread.text,
                      "[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\.[A-Za-z]{2,}"
        ),
        strings.parse_email(.full_match).domain.domain in $free_email_providers
        or strings.parse_email(.full_match).domain.root_domain in $free_email_providers
    )
    or (
      length(headers.reply_to) > 0
      and sender.email.email not in map(headers.reply_to, .email.email)
    )
    or length(recipients.to) == 0
    or regex.icontains(body.current_thread.text,
                       '(?:call|contact|text)[^\r\n]{0,50} at'
    )
    or regex.icontains(body.current_thread.text,
                       '(?:private|personal|primary) (?:e-?)?mail'
    )
    or strings.icontains(body.current_thread.text,
                         'happy to answer any questions you may have'
    )
    or strings.icontains(body.current_thread.text, ' kindly ')
    or strings.icontains(body.current_thread.text, ' (kindly ')
  )
)

Detection logic

length(body.current_thread.links) < 10
length(body.current_thread.text) < 3000
any of:
- body.current_thread.text matches any of 2 patterns
  - (?:Miller|Lincoln\s*Electric|Hobart|ESAB|Fronius|Everlast|Hypertherm|Thermal\s*Dynamics)\s*[^\r\n]{0,50}(?:\bwelder\b|\bwelding\b|\bTIG\b|\bMIG\b|plasma\s*cutter)
  - (?:\bwelder\b|\bwelding\b|\bTIG\b|\bMIG\b|plasma\s*cutter)\s*[^\r\n]{0,50}(?:Miller|Lincoln\s*Electric|Hobart|ESAB|Fronius|Everlast|Hypertherm|Thermal\s*Dynamics)
- body.current_thread.text matches '(?:Caterpillar|\\bCAT\\b|John\\s*Deere|Kubota|Bobcat|Honda|Generac|Stihl|Husqvarna|\\bToro\\b)\\s*[^\\r\\n]{0,50}(?:\\bgenerator\\b|\\bchainsaw\\b|\\bexcavator\\b|\\bskid\\s*steer\\b|\\btractor\\b|\\bmower\\b|\\bloader\\b|\\bbackhoe\\b)'
- body.current_thread.text matches any of 2 patterns
  - (?:welding\s*tools|power\s*tools|tool\s+(?:box|chest|set|kit|collection)|toolbox|toolchest)\s*[^\r\n]{0,50}(?:available|sale|rehome|gift|giving\s*away|free)
  - (?:available|sale|rehome|gift|giving\s*away|free)\s*[^\r\n]{0,50}(?:welding\s*tools|power\s*tools|tool\s+(?:box|chest|set|kit|collection)|toolbox|toolchest)
- body.current_thread.text matches any of 2 patterns
  - *welding tools*
  - *tools and accessories*
- all of:
  - length(regex.extract(body.current_thread.text, '(?i)(?:generator|refrigerator|trailer|tractor|lawnmower|mower|washer|dryer|freezer|treadmill|peloton|vanity|dresser|couch|sectional|kennel|mattress|bed\\s*frame|hot\\s*tub|golf\\s*cart|tv|gazebo|loveseat|dishwasher|microwave|kitchenaid|rolex|watch|honda|toyota|ford|chevy|jeep|kubota|bobcat|polaris|kawasaki|macbook|iphone|playstation|ps5|xbox|canon|sony|dji|piano|keyboard|guitar|violin)\\b[^\\r\\n]{0,30}(?:\$\\s*\\d{2,5}\\s*\$|\\$\\s*\\d{2,5}|\\bfor\\s+\\$?\\d{2,5})')) ≥ 5
  - body.current_thread.text matches any of 2 patterns
    
    late (?:husband|father|dad|wife|mother|mom)
    (?:husband|father|dad|wife|mother|mom)[^\r\n]{0,50}estate
body.current_thread.text matches any of 24 patterns
- late (?:husband|father|dad|wife|mother|mom)
- (?:husband|father|dad|wife|mother|mom)[^\r\n]{0,50}estate
- inherited instruments
- just lost (?:her|his|their) (?:husband|father|dad|wife|mother|mom)
- * downsizing *
- * relocating soon *
- * to relocate *
- *prepares to relocate*
- *relocate with*family*
- *sponsored*giveaway*
- *giveaway*sponsored*
- * generously offering *
- * generous offer *
- *a loving home*
- *a good home*
- *find a new home *
- *rehome these instruments *
- * free donation*
- giv\w+\s+away\s+(?:her|his|their|my|our)\s+(?:late|deceased|dad|father|mother|husband|wife)
- giv\w+\s+away\s+(?:her|his|their|my|our)[^\r\n]{0,40}(?:tool|welder|welding|equipment|instrument|machine)
- *generous opportunity*
- *who needs a reliable*
- *comprehensive set of tools*
- *top-of-the-line machine*
any of:
- body.current_thread.text matches any of 6 patterns
  - shipping (?:fee|cost|arrangement)
  - (?:responsible|pay) for shipping
  - no (?:local\s)?pick.?up
  - (?:local\s)?pick.?up.{0,50}not available
  - delivery only
  - moving company
- body.current_thread.text matches any of 9 patterns
  - * if you will take it *
  - * or have someone *
  - * indicate your interest *
  - * to someone you know *
  - * know someone who *
  - * someone you know would *
  - * someone who will *
  - * someone who truly *
  - * anyone you know *
- body.current_thread.text matches any of 3 patterns
  - if you[^\r\n]{0,20}(?:(?:might|will|would) be|are)[^\r\n]{0,20}interested
  - (?:any|some)one[^\r\n]{0,20}(is|will|would|might be)[^\r\n]{0,20}interested
  - who (?:will|would|might) appreciate
- any of:
  - any of regex.extract(body.current_thread.text) where any holds:
    
    strings.parse_email(.full_match).domain.domain in $free_email_providers
    strings.parse_email(.full_match).domain.root_domain in $free_email_providers
  - all of:
    
    length(headers.reply_to) > 0
    sender.email.email not in map(headers.reply_to, .email.email)
  - length(recipients.to) is 0
  - body.current_thread.text matches '(?:call|contact|text)[^\\r\\n]{0,50} at'
  - body.current_thread.text matches '(?:private|personal|primary) (?:e-?)?mail'
  - body.current_thread.text contains 'happy to answer any questions you may have'
  - body.current_thread.text contains ' kindly '
  - body.current_thread.text contains ' (kindly '

Inspects: body.current_thread.links, body.current_thread.text, headers.reply_to, headers.reply_to[].email.email, recipients.to, sender.email.email. Sensors: regex.extract, regex.icontains, strings.icontains, strings.ilike, strings.parse_email. Reference lists: $free_email_providers.

Indicators matched (56)

Field	Match	Value
`regex.icontains`	regex	`(?:Miller\|Lincoln\sElectric\|Hobart\|ESAB\|Fronius\|Everlast\|Hypertherm\|Thermal\sDynamics)\s[^\r\n]{0,50}(?:\bwelder\b\|\bwelding\b\|\bTIG\b\|\bMIG\b\|plasma\scutter)`
`regex.icontains`	regex	`(?:\bwelder\b\|\bwelding\b\|\bTIG\b\|\bMIG\b\|plasma\scutter)\s[^\r\n]{0,50}(?:Miller\|Lincoln\sElectric\|Hobart\|ESAB\|Fronius\|Everlast\|Hypertherm\|Thermal\sDynamics)`
`regex.icontains`	regex	`(?:Caterpillar\|\bCAT\b\|John\sDeere\|Kubota\|Bobcat\|Honda\|Generac\|Stihl\|Husqvarna\|\bToro\b)\s[^\r\n]{0,50}(?:\bgenerator\b\|\bchainsaw\b\|\bexcavator\b\|\bskid\s*steer\b\|\btractor\b\|\bmower\b\|\bloader\b\|\bbackhoe\b)`
`regex.icontains`	regex	`(?:welding\stools\|power\stools\|tool\s+(?:box\|chest\|set\|kit\|collection)\|toolbox\|toolchest)\s[^\r\n]{0,50}(?:available\|sale\|rehome\|gift\|giving\saway\|free)`
`regex.icontains`	regex	`(?:available\|sale\|rehome\|gift\|giving\saway\|free)\s[^\r\n]{0,50}(?:welding\stools\|power\stools\|tool\s+(?:box\|chest\|set\|kit\|collection)\|toolbox\|toolchest)`
`strings.ilike`	substring	`welding tools`
`strings.ilike`	substring	`tools and accessories`
`regex.extract`	regex	`(?i)(?:generator\|refrigerator\|trailer\|tractor\|lawnmower\|mower\|washer\|dryer\|freezer\|treadmill\|peloton\|vanity\|dresser\|couch\|sectional\|kennel\|mattress\|bed\sframe\|hot\stub\|golf\scart\|tv\|gazebo\|loveseat\|dishwasher\|microwave\|kitchenaid\|rolex\|watch\|honda\|toyota\|ford\|chevy\|jeep\|kubota\|bobcat\|polaris\|kawasaki\|macbook\|iphone\|playstation\|ps5\|xbox\|canon\|sony\|dji\|piano\|keyboard\|guitar\|violin)\b[^\r\n]{0,30}(?:$\s\d{2,5}\s$\|\$\s\d{2,5}\|\bfor\s+\$?\d{2,5})`
`regex.icontains`	regex	`late (?:husband\|father\|dad\|wife\|mother\|mom)`
`regex.icontains`	regex	`(?:husband\|father\|dad\|wife\|mother\|mom)[^\r\n]{0,50}estate`
`regex.icontains`	regex	`inherited instruments`
`regex.icontains`	regex	`just lost (?:her\|his\|their) (?:husband\|father\|dad\|wife\|mother\|mom)`

44 more

`strings.ilike`	substring	`* downsizing *`
`strings.ilike`	substring	`* relocating soon *`
`strings.ilike`	substring	`* to relocate *`
`strings.ilike`	substring	`prepares to relocate`
`strings.ilike`	substring	`relocate withfamily*`
`strings.ilike`	substring	`sponsoredgiveaway*`
`strings.ilike`	substring	`giveawaysponsored*`
`strings.ilike`	substring	`* generously offering *`
`strings.ilike`	substring	`* generous offer *`
`strings.ilike`	substring	`a loving home`
`strings.ilike`	substring	`a good home`
`strings.ilike`	substring	`find a new home `
`strings.ilike`	substring	`rehome these instruments `
`strings.ilike`	substring	`* free donation*`
`regex.icontains`	regex	`giv\w+\s+away\s+(?:her\|his\|their\|my\|our)\s+(?:late\|deceased\|dad\|father\|mother\|husband\|wife)`
`regex.icontains`	regex	`giv\w+\s+away\s+(?:her\|his\|their\|my\|our)[^\r\n]{0,40}(?:tool\|welder\|welding\|equipment\|instrument\|machine)`
`strings.ilike`	substring	`generous opportunity`
`strings.ilike`	substring	`who needs a reliable`
`strings.ilike`	substring	`comprehensive set of tools`
`strings.ilike`	substring	`top-of-the-line machine`
`regex.icontains`	regex	`shipping (?:fee\|cost\|arrangement)`
`regex.icontains`	regex	`(?:responsible\|pay) for shipping`
`regex.icontains`	regex	`no (?:local\s)?pick.?up`
`regex.icontains`	regex	`(?:local\s)?pick.?up.{0,50}not available`
`regex.icontains`	regex	`delivery only`
`regex.icontains`	regex	`moving company`
`strings.ilike`	substring	`* if you will take it *`
`strings.ilike`	substring	`* or have someone *`
`strings.ilike`	substring	`* indicate your interest *`
`strings.ilike`	substring	`* to someone you know *`
`strings.ilike`	substring	`* know someone who *`
`strings.ilike`	substring	`* someone you know would *`
`strings.ilike`	substring	`* someone who will *`
`strings.ilike`	substring	`* someone who truly *`
`strings.ilike`	substring	`* anyone you know *`
`regex.icontains`	regex	`if you[^\r\n]{0,20}(?:(?:might\|will\|would) be\|are)[^\r\n]{0,20}interested`
`regex.icontains`	regex	`(?:any\|some)one[^\r\n]{0,20}(is\|will\|would\|might be)[^\r\n]{0,20}interested`
`regex.icontains`	regex	`who (?:will\|would\|might) appreciate`
`regex.extract`	regex	`[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\.[A-Za-z]{2,}`
`regex.icontains`	regex	`(?:call\|contact\|text)[^\r\n]{0,50} at`
`regex.icontains`	regex	`(?:private\|personal\|primary) (?:e-?)?mail`
`strings.icontains`	substring	`happy to answer any questions you may have`
`strings.icontains`	substring	`kindly`
`strings.icontains`	substring	`(kindly`

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)