Brand impersonation: Internal Revenue Service

calendar Aug 5, 2025  ·
Share on: linkedin copy

Detects messages from senders posing as the Internal Revenue Service by checking display name similarity and content indicators from body text and screenshots. Excludes legitimate IRS domains and authenticated senders.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Internal Revenue Service"
 2description: "Detects messages from senders posing as the Internal Revenue Service by checking display name similarity and content indicators from body text and screenshots. Excludes legitimate IRS domains and authenticated senders."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and (
 8    // display name contains IRS
 9    (
10      strings.ilike(strings.replace_confusables(sender.display_name),
11                    '*internal revenue service*'
12      )
13      or strings.ilike(strings.replace_confusables(sender.display_name),
14                    'IRS*'
15      )
16    )
17    // levenshtein distance similar to IRS
18    or strings.ilevenshtein(strings.replace_confusables(sender.display_name),
19                            'internal revenue service'
20    ) <= 1
21  )
22  and (
23    any(beta.ml_topic(body.current_thread.text).topics,
24        .name in ("Security and Authentication", "Financial Communications")
25        and .confidence in ("high")
26    )
27    or any(beta.ml_topic(beta.ocr(beta.message_screenshot()).text).topics,
28           .name in ("Security and Authentication", "Financial Communications")
29           and .confidence in ("high")
30    )
31    or any(ml.nlu_classifier(body.current_thread.text).intents,
32           .name == "cred_theft" and .confidence == "high"
33    )
34    or any(ml.nlu_classifier(beta.ocr(beta.message_screenshot()).text).intents,
35           .name == "cred_theft" and .confidence == "high"
36    )
37  )
38  
39  // and the sender is not in org_domains or from IRS domains and passes auth
40  and not (
41    sender.email.domain.root_domain in $org_domains
42    or (
43      sender.email.domain.root_domain in ("irs.gov", "govdelivery.com")
44      and headers.auth_summary.dmarc.pass
45    )
46  )
47  // and the sender is not from high trust sender root domains
48  and (
49    (
50      sender.email.domain.root_domain in $high_trust_sender_root_domains
51      and not headers.auth_summary.dmarc.pass
52    )
53    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
54  )
55  and not profile.by_sender().solicited  
56
57attack_types:
58  - "BEC/Fraud"
59  - "Credential Phishing"
60tactics_and_techniques:
61  - "Impersonation: Brand"
62  - "Social engineering"
63detection_methods:
64  - "Content analysis"
65  - "Natural Language Understanding"
66  - "Optical Character Recognition"
67  - "Sender analysis"
68id: "3c63f8e9-4bce-5ce3-b17d-1ae361b5782d"
to-top