Attachment: USDA bid invitation impersonation

Detects messages claiming to be from USDA containing bid invitations with macro-enabled attachments or PDFs. Validates USDA-related content through OCR and natural language analysis.

Sublime rule (View on GitHub)

 1name: "Attachment: USDA bid invitation impersonation"
 2description: "Detects messages claiming to be from USDA containing bid invitations with macro-enabled attachments or PDFs. Validates USDA-related content through OCR and natural language analysis."
 3type: "rule"
 4severity: "medium"
 5references:
 6  - "https://www.proofpoint.com/uk/blog/threat-insight/ta4903-actor-spoofs-us-government-small-businesses-phishing-bec-bids"
 7source: |
 8  type.inbound
 9  and length(attachments) == 1
10  and all(attachments,
11          (.file_extension in~ $file_extensions_macros or .file_type == "pdf")
12          and any(file.explode(.),
13                  any(ml.nlu_classifier(.scan.ocr.raw).entities,
14                      strings.icontains(.text, "Agriculture")
15                  )
16          )
17  )
18  and strings.icontains(body.current_thread.text, "bid")
19  and (
20    strings.icontains(subject.subject, 'invitation to bid')
21    or any(attachments, strings.icontains(.file_name, 'usda'))
22  )
23  and strings.icontains(sender.email.domain.domain, "usda")
24  and any(ml.nlu_classifier(body.current_thread.text).entities,
25          .text == "usda" and .name in ("sender", "org")
26  )  
27attack_types:
28  - "BEC/Fraud"
29tactics_and_techniques:
30  - "Impersonation: Brand"
31  - "PDF"
32  - "Macros"
33  - "Social engineering"
34detection_methods:
35  - "Content analysis"
36  - "File analysis"
37  - "Header analysis"
38  - "Natural Language Understanding"
39  - "Optical Character Recognition" 
40  - "Sender analysis"
41id: "34eb9493-f74b-535a-8e21-bb37ca69b7f4"
to-top