Brand Impersonation: Internal Revenue Service

calendar Apr 7, 2025  ·
Share on: linkedin copy

Detects messages from senders posing as the Internal Revenue Service by checking display name similarity and content indicators from body text and screenshots. Excludes legitimate IRS domains and authenticated senders.

Sublime rule (View on GitHub)

 1name: "Brand Impersonation: Internal Revenue Service"
 2description: "Detects messages from senders posing as the Internal Revenue Service by checking display name similarity and content indicators from body text and screenshots. Excludes legitimate IRS domains and authenticated senders."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and (
 8    // display name contains IRS
 9    (
10      strings.ilike(strings.replace_confusables(sender.display_name),
11                    '*internal revenue service*'
12      )
13    )
14    // levenshtein distance similar to IRS
15    or strings.ilevenshtein(strings.replace_confusables(sender.display_name),
16                            'internal revenue service'
17    ) <= 1
18  )
19  and (
20    any(beta.ml_topic(body.current_thread.text).topics,
21        .name in ("Security and Authentication", "Financial Communications")
22        and .confidence in ("high")
23    )
24    or any(beta.ml_topic(beta.ocr(beta.message_screenshot()).text).topics,
25           .name in ("Security and Authentication", "Financial Communications")
26           and .confidence in ("high")
27    )
28    or any(ml.nlu_classifier(body.current_thread.text).intents,
29           .name == "cred_theft" and .confidence == "high"
30    )
31    or any(ml.nlu_classifier(beta.ocr(beta.message_screenshot()).text).intents,
32           .name == "cred_theft" and .confidence == "high"
33    )
34  )
35  
36  // and the sender is not in org_domains or from IRS domains and passes auth
37  and not (
38    sender.email.domain.root_domain in $org_domains
39    or (
40      sender.email.domain.root_domain in ("irs.gov", "govdelivery.com")
41      and headers.auth_summary.dmarc.pass
42    )
43  )
44  // and the sender is not from high trust sender root domains
45  and (
46    (
47      sender.email.domain.root_domain in $high_trust_sender_root_domains
48      and not headers.auth_summary.dmarc.pass
49    )
50    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
51  )
52  and not profile.by_sender().solicited  
53
54attack_types:
55  - "BEC/Fraud"
56  - "Credential Phishing"
57tactics_and_techniques:
58  - "Impersonation: Brand"
59  - "Social engineering"
60detection_methods:
61  - "Content analysis"
62  - "Natural Language Understanding"
63  - "Optical Character Recognition"
64  - "Sender analysis"
65id: "3c63f8e9-4bce-5ce3-b17d-1ae361b5782d"
to-top