Attachment: RFP/RFQ impersonating government entities

 1name: "Attachment: RFP/RFQ impersonating government entities"
 2description: "Attached RFP/RFQ impersonates a U.S. government department or entity to commit fraudulent transactions."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and length(attachments) == 1
 8  and all(attachments,
 9          .file_extension in~ $file_extensions_macros or .file_type == "pdf"
10  )
11  and regex.icontains(body.current_thread.text, "department of|office of")
12  and (
13    regex.icontains(subject.subject,
14                    '(request for (purchase|quot(e|ation))|\bRFQ\b|\bRFP\b)'
15    )
16    or any(attachments,
17           regex.icontains(.file_name,
18                           '(request for (purchase|quot(e|ation))|\bRFQ\b|\bRFP\b)'
19           )
20    )
21  )
22  and strings.icontains(sender.email.domain.domain, "gov")
23  and (
24    any(ml.nlu_classifier(body.current_thread.text).tags,
25        .name == "purchase_order"
26    )
27    and any(attachments,
28            any(file.explode(.),
29                any(ml.nlu_classifier(.scan.ocr.raw).entities,
30                    regex.icontains(.text, "department of|office of")
31                )
32            )
33    )
34  )  
35
36attack_types:
37  - "BEC/Fraud"
38tactics_and_techniques:
39  - "Impersonation: Brand"
40  - "PDF"
41  - "Social engineering"
42detection_methods:
43  - "Content analysis"
44  - "File analysis"
45  - "Natural Language Understanding"
46  - "Optical Character Recognition"
47  - "Sender analysis"
48id: "3b73e3b3-b4cc-5e2d-9e9c-5812f3a0370a"