Corporate Services Impersonation Phishing
Detects phishing attempts that impersonate corporate services such as HR, helpdesk, and benefits, using specific language in the subject or sender's name and containing suspicious links from low-reputation or mass-mailing domains.
Sublime rule (View on GitHub)
1name: "Corporate Services Impersonation Phishing"
2description: "Detects phishing attempts that impersonate corporate services such as HR, helpdesk, and benefits, using specific language in the subject or sender's name and containing suspicious links from low-reputation or mass-mailing domains."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and 0 < length(body.links) < 8
8
9 // HR language found in subject
10 and (
11 (
12 length(subject.subject) > 20
13 and regex.icontains(subject.subject,
14 '(time.{0,4}sheet)|(employ).{0,30}(benefit|handbook|comp\b|compensation|salary|pay(roll)?|policy|conduct|acknowl|PTO|vacation)'
15 )
16 )
17
18 // or HR language found in sender
19 or (
20 regex.icontains(sender.display_name,
21 '(Employ|Time.{0,3}sheet|\bHR\b|Human R|Handbook|\bIT[- ]|Help.{0,3}Desk)'
22 )
23 and not regex.icontains(sender.display_name,
24 "forum|employee voice|briefs|newsletter|screening"
25 )
26 and not regex.icontains(sender.display_name, "HR (new|vue|view|tech admin|global)")
27 )
28 )
29
30 // suspicious display_text
31 and (
32 any(body.links,
33 regex.icontains(.display_text,
34 '((verify|view|click|download|goto|keep|Vιew|release).{0,10}(request|here|attachment|current|download|fax|file|document|message|same)s?)'
35 )
36 and not strings.ilike(.display_text, "*unsub*")
37 and not strings.ilike(.href_url.url, "*privacy-policy*")
38 and not strings.ilike(.display_text, "*REGISTER*")
39
40 // from a low reputation link
41 and (
42 not .href_url.domain.root_domain in $org_domains
43 and (
44 .href_url.domain.root_domain not in $tranco_1m
45 or .href_url.domain.domain in $free_file_hosts
46 or .href_url.domain.root_domain in $free_file_hosts
47 or .href_url.domain.root_domain in $free_subdomain_hosts
48 or .href_url.domain.domain in $url_shorteners
49 )
50 or
51 // or mass mailer link, masks the actual URL
52 .href_url.domain.root_domain in (
53 "hubspotlinks.com",
54 "mandrillapp.com",
55 "sendgrid.net",
56 "rs6.net",
57 "mailanyone.net",
58 )
59 )
60 )
61 // or credential theft confidence high
62 or (
63 length(body.links) > 0
64 and any(ml.nlu_classifier(body.current_thread.text).intents,
65 .name == "cred_theft" and .confidence == "high"
66 )
67 and not sender.email.domain.root_domain in (
68 "servicenowservices.com",
69 "workplaceextras.com",
70 "tempo.io",
71 "or.us"
72 )
73 )
74 )
75 // negate highly trusted sender domains unless they fail DMARC authentication
76 and (
77 (
78 (
79 sender.email.domain.root_domain in $high_trust_sender_root_domains
80 or sender.email.domain.root_domain in $org_domains
81 )
82 and not headers.auth_summary.dmarc.pass
83 )
84 or (
85 sender.email.domain.root_domain not in $high_trust_sender_root_domains
86 and sender.email.domain.root_domain not in $org_domains
87 )
88 )
89 // not from sharepointonline actual
90 and not (
91 sender.email.domain.root_domain == "sharepointonline.com" and
92 strings.ends_with(headers.message_id, '@odspnotify>') and strings.starts_with(headers.message_id, "<Spo")
93 )
94 // negate common helpdesk platforms
95 and not any(headers.domains, .root_domain in ("freshemail.io", "zendesk.com"))
96 and (
97 not profile.by_sender().solicited
98 or (
99 profile.by_sender().any_messages_malicious_or_spam
100 and not profile.by_sender().any_false_positives
101 )
102 )
103 and not profile.by_sender().any_false_positives
104attack_types:
105 - "Credential Phishing"
106tactics_and_techniques:
107 - "Impersonation: Employee"
108 - "Social engineering"
109detection_methods:
110 - "Content analysis"
111 - "Header analysis"
112 - "Natural Language Understanding"
113 - "Sender analysis"
114id: "3cd04f33-5519-5cc1-8740-e8ce6cddf8a0"