Brand impersonation: Internal Revenue Service
Detects messages from senders posing as the Internal Revenue Service by checking display name similarity and content indicators from body text and screenshots. Excludes legitimate IRS domains and authenticated senders.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Internal Revenue Service"
2description: "Detects messages from senders posing as the Internal Revenue Service by checking display name similarity and content indicators from body text and screenshots. Excludes legitimate IRS domains and authenticated senders."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and (
8 // display name contains IRS
9 (
10 strings.ilike(strings.replace_confusables(sender.display_name),
11 '*internal revenue service*'
12 )
13 or strings.like(strings.replace_confusables(sender.display_name), 'IRS*')
14 )
15 // levenshtein distance similar to IRS
16 or strings.ilevenshtein(strings.replace_confusables(sender.display_name),
17 'internal revenue service'
18 ) <= 1
19 or (
20 strings.like(strings.replace_confusables(subject.base), '*IRS*')
21 and any(ml.nlu_classifier(body.current_thread.text).topics,
22 .name == "Government Services" and .confidence != "low"
23 )
24 )
25 )
26 and (
27 (
28 any(ml.nlu_classifier(body.current_thread.text).topics,
29 .name in ("Security and Authentication", "Financial Communications")
30 and .confidence == "high"
31 )
32 and not any(ml.nlu_classifier(body.current_thread.text).topics,
33 .name in (
34 "Advertising and Promotions",
35 "Newsletters and Digests",
36 "Political Mail",
37 "Events and Webinars"
38 )
39 and .confidence != "low"
40 )
41 )
42 or (
43 // OCR length is more than 2x the current_thread length
44 // indicating that the body is mostly an image
45 (
46 (length(beta.ocr(file.message_screenshot()).text) + 0.0) / (
47 length(body.current_thread.text) + 0.0
48 )
49 ) > 2
50 and length(body.previous_threads) == 0
51 and any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).topics,
52 .name in ("Security and Authentication", "Financial Communications")
53 and .confidence == "high"
54 )
55 and not any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).topics,
56 .name in (
57 "Advertising and Promotions",
58 "Newsletters and Digests",
59 "Political Mail",
60 "Events and Webinars"
61 )
62 and .confidence != "low"
63 )
64 )
65 or any(ml.nlu_classifier(body.current_thread.text).intents,
66 .name == "cred_theft" and .confidence == "high"
67 )
68 or any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).intents,
69 .name == "cred_theft" and .confidence == "high"
70 )
71 )
72
73 and not (
74 (
75 length(body.current_thread.text) > 2500
76 or any(headers.hops,
77 any(.fields,
78 .name == 'List-Unsubscribe-Post'
79 and .value == 'List-Unsubscribe=One-Click'
80 )
81 )
82 )
83 and any(ml.nlu_classifier(body.current_thread.text).intents,
84 .name == "benign" and .confidence == "high"
85 )
86 )
87
88 // and the sender is not in org_domains or from .gov domains and passes auth
89 and not (
90 sender.email.domain.root_domain in $org_domains
91 or (
92 (
93 sender.email.domain.root_domain in ("govdelivery.com", "ms-cpa.org")
94 or sender.email.domain.tld == "gov"
95 )
96 and headers.auth_summary.dmarc.pass
97 )
98 )
99 // and the sender is not from high trust sender root domains
100 and (
101 (
102 sender.email.domain.root_domain in $high_trust_sender_root_domains
103 and not headers.auth_summary.dmarc.pass
104 )
105 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
106 )
107
108attack_types:
109 - "BEC/Fraud"
110 - "Credential Phishing"
111tactics_and_techniques:
112 - "Impersonation: Brand"
113 - "Social engineering"
114detection_methods:
115 - "Content analysis"
116 - "Natural Language Understanding"
117 - "Optical Character Recognition"
118 - "Sender analysis"
119id: "3c63f8e9-4bce-5ce3-b17d-1ae361b5782d"