Attachment: RFP/RFQ impersonating government entities
Attached RFP/RFQ impersonates a U.S. government department or entity to commit fraudulent transactions.
Sublime rule (View on GitHub)
1name: "Attachment: RFP/RFQ impersonating government entities"
2description: "Attached RFP/RFQ impersonates a U.S. government department or entity to commit fraudulent transactions."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and length(attachments) == 1
8 and all(attachments,
9 .file_extension in~ $file_extensions_macros or .file_type == "pdf"
10 )
11 and regex.icontains(body.current_thread.text, "department of|office of")
12 and (
13 regex.icontains(subject.subject,
14 '(request for (purchase|quot(e|ation))|\bRFQ\b|\bRFP\b)'
15 )
16 or any(attachments,
17 regex.icontains(.file_name,
18 '(request for (purchase|quot(e|ation))|\bRFQ\b|\bRFP\b)'
19 )
20 )
21 )
22 and strings.icontains(sender.email.domain.domain, "gov")
23 and (
24 any(ml.nlu_classifier(body.current_thread.text).tags,
25 .name == "purchase_order"
26 )
27 and any(attachments,
28 any(file.explode(.),
29 any(ml.nlu_classifier(.scan.ocr.raw).entities,
30 regex.icontains(.text, "department of|office of")
31 )
32 )
33 )
34 )
35
36attack_types:
37 - "BEC/Fraud"
38tactics_and_techniques:
39 - "Impersonation: Brand"
40 - "PDF"
41 - "Social engineering"
42detection_methods:
43 - "Content analysis"
44 - "File analysis"
45 - "Natural Language Understanding"
46 - "Optical Character Recognition"
47 - "Sender analysis"
48id: "3b73e3b3-b4cc-5e2d-9e9c-5812f3a0370a"