Brand impersonation: Internal Revenue Service

Detects messages from senders posing as the Internal Revenue Service by checking display name similarity and content indicators from body text and screenshots. Excludes legitimate IRS domains and authenticated senders.

Sublime rule (View on GitHub)

  1name: "Brand impersonation: Internal Revenue Service"
  2description: "Detects messages from senders posing as the Internal Revenue Service by checking display name similarity and content indicators from body text and screenshots. Excludes legitimate IRS domains and authenticated senders."
  3type: "rule"
  4severity: "high"
  5source: |
  6  type.inbound
  7  and (
  8    // display name contains IRS
  9    (
 10      strings.ilike(strings.replace_confusables(sender.display_name),
 11                    '*internal revenue service*'
 12      )
 13      or strings.like(strings.replace_confusables(sender.display_name), 'IRS*')
 14      or regex.icontains(strings.replace_confusables(sender.display_name),
 15                         'internal.{0,5}revenue.{0,5}service'
 16      )
 17    )
 18  
 19    // levenshtein distance similar to IRS
 20    or strings.ilevenshtein(strings.replace_confusables(sender.display_name),
 21                            'internal revenue service'
 22    ) <= 1
 23    or (
 24      strings.like(strings.replace_confusables(subject.base), '*IRS*')
 25      and any(ml.nlu_classifier(body.current_thread.text).topics,
 26              .name == "Government Services" and .confidence != "low"
 27      )
 28    )
 29  )
 30  and (
 31    (
 32      any(ml.nlu_classifier(body.current_thread.text).topics,
 33          .name in ("Security and Authentication", "Financial Communications")
 34          and .confidence == "high"
 35      )
 36      and not any(ml.nlu_classifier(body.current_thread.text).topics,
 37                  .name in (
 38                    "Advertising and Promotions",
 39                    "Newsletters and Digests",
 40                    "Political Mail",
 41                    "Events and Webinars"
 42                  )
 43                  and .confidence != "low"
 44      )
 45    )
 46    or (
 47      // OCR length is more than 2x the current_thread length
 48      // indicating that the body is mostly an image
 49      (
 50        (length(beta.ocr(file.message_screenshot()).text) + 0.0) / (
 51          length(body.current_thread.text) + 0.0
 52        )
 53      ) > 2
 54      and length(body.previous_threads) == 0
 55      and any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).topics,
 56              .name in ("Security and Authentication", "Financial Communications")
 57              and .confidence == "high"
 58      )
 59      and not any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).topics,
 60                  .name in (
 61                    "Advertising and Promotions",
 62                    "Newsletters and Digests",
 63                    "Political Mail",
 64                    "Events and Webinars"
 65                  )
 66                  and .confidence != "low"
 67      )
 68    )
 69    or any(ml.nlu_classifier(body.current_thread.text).intents,
 70           .name == "cred_theft" and .confidence == "high"
 71    )
 72    or any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).intents,
 73           .name == "cred_theft" and .confidence == "high"
 74    )
 75  )
 76  and not (
 77    (
 78      length(body.current_thread.text) > 2500
 79      or any(headers.hops,
 80             any(.fields,
 81                 .name == 'List-Unsubscribe-Post'
 82                 and .value == 'List-Unsubscribe=One-Click'
 83             )
 84      )
 85    )
 86    and any(ml.nlu_classifier(body.current_thread.text).intents,
 87            .name == "benign" and .confidence == "high"
 88    )
 89  )
 90  
 91  // and the sender is not in org_domains or from .gov domains and passes auth
 92  and not (
 93    sender.email.domain.root_domain in $org_domains
 94    or (
 95      (
 96        sender.email.domain.root_domain in ("govdelivery.com", "ms-cpa.org")
 97        or sender.email.domain.tld == "gov"
 98      )
 99      and headers.auth_summary.dmarc.pass
100    )
101  )
102  // and the sender is not from high trust sender root domains
103  and (
104    (
105      sender.email.domain.root_domain in $high_trust_sender_root_domains
106      and not headers.auth_summary.dmarc.pass
107    )
108    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
109  )  
110
111attack_types:
112  - "BEC/Fraud"
113  - "Credential Phishing"
114tactics_and_techniques:
115  - "Impersonation: Brand"
116  - "Social engineering"
117detection_methods:
118  - "Content analysis"
119  - "Natural Language Understanding"
120  - "Optical Character Recognition"
121  - "Sender analysis"
122id: "3c63f8e9-4bce-5ce3-b17d-1ae361b5782d"
to-top