Attachment: USDA bid invitation impersonation
Detects messages claiming to be from USDA containing bid invitations with macro-enabled attachments or PDFs. Validates USDA-related content through OCR and natural language analysis.
Sublime rule (View on GitHub)
1name: "Attachment: USDA bid invitation impersonation"
2description: "Detects messages claiming to be from USDA containing bid invitations with macro-enabled attachments or PDFs. Validates USDA-related content through OCR and natural language analysis."
3type: "rule"
4severity: "medium"
5references:
6 - "https://www.proofpoint.com/uk/blog/threat-insight/ta4903-actor-spoofs-us-government-small-businesses-phishing-bec-bids"
7source: |
8 type.inbound
9 and length(attachments) == 1
10 and all(attachments,
11 (.file_extension in~ $file_extensions_macros or .file_type == "pdf")
12 and any(file.explode(.),
13 any(ml.nlu_classifier(.scan.ocr.raw).entities,
14 strings.icontains(.text, "Agriculture")
15 )
16 )
17 )
18 and strings.icontains(body.current_thread.text, "bid")
19 and (
20 strings.icontains(subject.subject, 'invitation to bid')
21 or any(attachments, strings.icontains(.file_name, 'usda'))
22 )
23 and strings.icontains(sender.email.domain.domain, "usda")
24 and any(ml.nlu_classifier(body.current_thread.text).entities,
25 .text == "usda" and .name in ("sender", "org")
26 )
27attack_types:
28 - "BEC/Fraud"
29tactics_and_techniques:
30 - "Impersonation: Brand"
31 - "PDF"
32 - "Macros"
33 - "Social engineering"
34detection_methods:
35 - "Content analysis"
36 - "File analysis"
37 - "Header analysis"
38 - "Natural Language Understanding"
39 - "Optical Character Recognition"
40 - "Sender analysis"
41id: "34eb9493-f74b-535a-8e21-bb37ca69b7f4"