Fake request for tax preparation
Unknown sender requesting assistance with tax preparation. This is associated with known threat actor activity, TA576.
Sublime rule (View on GitHub)
1name: "Fake request for tax preparation"
2description: "Unknown sender requesting assistance with tax preparation. This is associated with known threat actor activity, TA576."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and length(body.current_thread.text) < 1000
8 // there are no links, all the links are to aka.ms, or an extraction from a warning banner that match the senders domain
9 and (
10 length(body.links) == 0
11 or length(filter(body.links,
12 (
13 .display_text is null
14 and .display_url.url == sender.email.domain.root_domain
15 )
16 or .href_url.domain.domain == "aka.ms"
17 or network.whois(.display_url.domain).days_old < 30
18 )
19 ) == length(body.links)
20 )
21 and length(attachments) == 0
22 and strings.ilike(subject.subject, "*tax*")
23 and strings.icontains(body.current_thread.text, "tax")
24 and strings.like(body.current_thread.text, "*return*", "*record*", "*CPA*")
25 and (
26 strings.ilike(body.current_thread.text,
27 "*necessary documents*",
28 "*required documents*",
29 "*in search of*",
30 "*tax service*",
31 "*prepare*tax return*",
32 "*service*tax return*"
33 )
34 )
35 and (
36 (
37 profile.by_sender().prevalence in ("new", "outlier")
38 and not profile.by_sender().solicited
39 )
40 or (
41 profile.by_sender().any_messages_malicious_or_spam
42 and not profile.by_sender().any_false_positives
43 )
44 )
45 and not profile.by_sender().any_false_positives
46
47attack_types:
48 - "BEC/Fraud"
49 - "Malware/Ransomware"
50tactics_and_techniques:
51 - "Social engineering"
52detection_methods:
53 - "Content analysis"
54 - "Natural Language Understanding"
55 - "Sender analysis"
56id: "e36b85b3-ffc6-5d73-b865-7dbdf9b4b1a0"