Corporate Services Impersonation Phishing

Detects phishing attempts that impersonate corporate services such as HR, helpdesk, and benefits, using specific language in the subject or sender's name and containing suspicious links from low-reputation or mass-mailing domains.

Sublime rule (View on GitHub)

 1name: "Corporate Services Impersonation Phishing"
 2description: "Detects phishing attempts that impersonate corporate services such as HR, helpdesk, and benefits, using specific language in the subject or sender's name and containing suspicious links from low-reputation or mass-mailing domains."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and 0 < length(body.links) < 8
 8  
 9  // HR language found in subject
10  and (
11    (
12      length(subject.subject) > 20
13      and regex.icontains(subject.subject,
14                          '(time.{0,4}sheet)|(employ).{0,30}(benefit|handbook|comp\b|compensation|salary|pay(roll)?|policy|conduct|acknowl|PTO|vacation)'
15      )
16    )
17  
18    // or HR language found in sender
19    or regex.icontains(sender.display_name,
20                       '(Employ|Time.{0,3}sheet|\bHR\b|Human R|Handbook|\bIT[- ]|Help.{0,3}Desk)'
21    )
22  )
23  
24  // suspicious display_text
25  and any(body.links,
26          regex.icontains(.display_text,
27                          '((verify|view|click|download|goto|keep|Vιew|release).{0,10}(|here|attachment|current|download|fax|file|document|message|same)s?)'
28          )
29          and not strings.ilike(.display_text, "*unsub*")
30  
31          // from a low reputation link
32          and not .href_url.domain.root_domain in $org_domains
33          and (
34            .href_url.domain.root_domain not in $tranco_1m
35            or .href_url.domain.domain in $free_file_hosts
36            or .href_url.domain.root_domain in $free_file_hosts
37            or .href_url.domain.root_domain in $free_subdomain_hosts
38            or .href_url.domain.domain in $url_shorteners
39          )
40          or 
41          // or mass mailer link, masks the actual URL
42          .href_url.domain.root_domain in (
43            "hubspotlinks.com",
44            "mandrillapp.com",
45            "sendgrid.net",
46            "rs6.net",
47            "mailanyone.net"
48          )
49          // or credential theft confidence high
50          or any(ml.nlu_classifier(body.current_thread.text).intents,
51                 .name == "cred_theft" and .confidence == "high"
52          )
53  )
54  
55  // negate highly trusted sender domains unless they fail DMARC authentication
56  and (
57    (
58      sender.email.domain.root_domain in $high_trust_sender_root_domains
59      and not headers.auth_summary.dmarc.pass
60    )
61    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
62  )
63  and (
64    not profile.by_sender().solicited
65    or (
66      profile.by_sender().any_messages_malicious_or_spam
67      and not profile.by_sender().any_false_positives
68    )
69  )
70  and not profile.by_sender().any_false_positives  
71
72attack_types:
73  - "Credential Phishing"
74tactics_and_techniques:
75  - "Impersonation: Employee"
76  - "Social engineering"
77detection_methods:
78  - "Content analysis"
79  - "Header analysis"
80  - "Natural Language Understanding"
81  - "Sender analysis"
82id: "3cd04f33-5519-5cc1-8740-e8ce6cddf8a0"
to-top