Brand impersonation: Canada Revenue Agency
Detects messages impersonating the Canada Revenue Agency (CRA) in English or French that contain credential theft indicators. The rule identifies senders claiming to be CRA through display names or subject line references, uses natural language understanding to detect credential theft intent, and excludes legitimate senders with proper authentication.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Canada Revenue Agency"
2description: "Detects messages impersonating the Canada Revenue Agency (CRA) in English or French that contain credential theft indicators. The rule identifies senders claiming to be CRA through display names or subject line references, uses natural language understanding to detect credential theft intent, and excludes legitimate senders with proper authentication."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 // sender claims to be CRA
8 and (
9 strings.icontains(sender.display_name, 'canada revenue agency')
10 or strings.icontains(sender.display_name, 'agence du revenu du canada')
11 or (
12 // cra display name and cra reference in subject
13 regex.icontains(sender.display_name, '\bcra\b')
14 and regex.icontains(subject.base,
15 '(?:T4|cra|tax|canada revenue|revenu du canada)'
16 )
17 )
18 )
19 // nlu cred theft
20 and any(ml.nlu_classifier(body.current_thread.text).intents,
21 .name == "cred_theft" and .confidence != 'low'
22 )
23 and not (
24 (
25 // negate highly trusted sender domains
26 sender.email.domain.root_domain in $high_trust_sender_root_domains
27 // negate legit senders from merck
28 or sender.email.domain.root_domain == "cra-arc.gc.ca"
29 )
30 // enforce auth
31 and coalesce(headers.auth_summary.dmarc.pass, false)
32 )
33attack_types:
34 - "BEC/Fraud"
35 - "Credential Phishing"
36tactics_and_techniques:
37 - "Impersonation: Brand"
38 - "Social engineering"
39detection_methods:
40 - "Content analysis"
41 - "Header analysis"
42 - "Sender analysis"
43id: "72607c4c-52dc-5df6-b547-54ee321b7a7a"