Corporate Services Impersonation Phishing
Detects phishing attempts that impersonate corporate services such as HR, helpdesk, and benefits, using specific language in the subject or sender's name and containing suspicious links from low-reputation or mass-mailing domains.
Sublime rule (View on GitHub)
1name: "Corporate Services Impersonation Phishing"
2description: "Detects phishing attempts that impersonate corporate services such as HR, helpdesk, and benefits, using specific language in the subject or sender's name and containing suspicious links from low-reputation or mass-mailing domains."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and 0 < length(body.links) < 8
8
9 // HR language found in subject
10 and (
11 (
12 length(subject.subject) > 20
13 and regex.icontains(subject.subject,
14 '(time.{0,4}sheet)|(employ).{0,30}(benefit|handbook|comp\b|compensation|salary|pay(roll)?|policy|conduct|acknowl|PTO|vacation)'
15 )
16 )
17
18 // or HR language found in sender
19 or (
20 regex.icontains(sender.display_name,
21 '(Employ|Time.{0,3}sheet|\bHR\b|Human R|Handbook|\bIT[- ]|Help.{0,3}Desk)'
22 )
23 and not regex.icontains(sender.display_name,
24 "forum|employee voice|briefs|newsletter|screening"
25 )
26 and not regex.icontains(sender.display_name, "HR (new|vue|view|tech admin|global)")
27 )
28 )
29
30 // suspicious display_text
31 and (
32 any(body.links,
33 regex.icontains(.display_text,
34 '((verify|view|click|download|goto|keep|Vιew|release).{0,10}(request|here|attachment|current|download|fax|file|document|message|same)s?)'
35 )
36 and not strings.ilike(.display_text, "*unsub*")
37 and not strings.ilike(.href_url.url, "*privacy-policy*")
38 and not strings.ilike(.display_text, "*REGISTER*")
39
40 // from a low reputation link
41 and (
42 not .href_url.domain.root_domain in $org_domains
43 and (
44 .href_url.domain.root_domain not in $tranco_1m
45 or .href_url.domain.domain in $free_file_hosts
46 or .href_url.domain.root_domain in $free_file_hosts
47 or .href_url.domain.root_domain in $free_subdomain_hosts
48 or .href_url.domain.domain in $url_shorteners
49 )
50 or
51 // or mass mailer link, masks the actual URL
52 .href_url.domain.root_domain in (
53 "hubspotlinks.com",
54 "mandrillapp.com",
55 "sendgrid.net",
56 "rs6.net",
57 "mailanyone.net",
58 )
59 )
60 )
61 // or credential theft confidence high
62 or (
63 length(body.links) > 0
64 and any(ml.nlu_classifier(body.current_thread.text).intents,
65 .name == "cred_theft" and .confidence == "high"
66 )
67 and not sender.email.domain.root_domain in (
68 "servicenowservices.com",
69 "workplaceextras.com",
70 "tempo.io",
71 "or.us"
72 )
73 )
74 )
75 // negate highly trusted sender domains unless they fail DMARC authentication
76 and (
77 (
78 sender.email.domain.root_domain in $high_trust_sender_root_domains
79 and not headers.auth_summary.dmarc.pass
80 )
81 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
82 )
83 and (
84 not profile.by_sender().solicited
85 or (
86 profile.by_sender().any_messages_malicious_or_spam
87 and not profile.by_sender().any_false_positives
88 )
89 )
90 and not profile.by_sender().any_false_positives
91
92attack_types:
93 - "Credential Phishing"
94tactics_and_techniques:
95 - "Impersonation: Employee"
96 - "Social engineering"
97detection_methods:
98 - "Content analysis"
99 - "Header analysis"
100 - "Natural Language Understanding"
101 - "Sender analysis"
102id: "3cd04f33-5519-5cc1-8740-e8ce6cddf8a0"