Fake request for tax preparation

calendar Jul 12, 2024  ยท
Share on: linkedin copy

Unknown sender requesting assistance with tax preparation. This is associated with known threat actor activity, TA576.

Sublime rule (View on GitHub)

 1name: "Fake request for tax preparation"
 2description: "Unknown sender requesting assistance with tax preparation. This is associated with known threat actor activity, TA576."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and length(body.current_thread.text) < 1250
 8  // there are no links, all the links are to aka.ms, or an extraction from a warning banner that match the senders domain
 9  and (
10    length(body.links) == 0
11    or length(filter(body.links,
12                     (
13                       .display_text is null
14                       and .display_url.url == sender.email.domain.root_domain
15                     )
16                     or .href_url.domain.domain == "aka.ms"
17                     or network.whois(.display_url.domain).days_old < 30
18              )
19    ) == length(body.links)
20  )
21  and length(attachments) == 0
22  and strings.ilike(subject.subject, "*tax*")
23  and strings.icontains(body.current_thread.text, "tax")
24  and strings.like(body.current_thread.text,
25                   "*return*",
26                   "*record*",
27                   "*CPA*",
28                   "*filing*"
29  )
30  and (
31    strings.ilike(body.current_thread.text,
32                  "*necessary documents*",
33                  "*required documents*",
34                  "*paperwork*need*",
35                  "*in search of*",
36                  "*tax service*",
37                  "*professional help*",
38                  "*prepare*tax return*",
39                  "*service*tax return*"
40    )
41    // suspicious patterns
42    or (
43      strings.icontains(body.current_thread.text, sender.display_name)
44      and 2 of (
45        (
46          length(headers.reply_to) > 0
47          and all(headers.reply_to,
48                  .email.domain.root_domain != sender.email.domain.root_domain
49          )
50        ),
51        (
52          headers.return_path.email is not null
53          and headers.return_path.email != sender.email.email
54        ),
55        headers.return_path.domain.root_domain in ("amazonses.com")
56      )
57    )
58  )
59  and (
60    (
61      profile.by_sender().prevalence in ("new", "outlier")
62      and not profile.by_sender().solicited
63    )
64    or (
65      profile.by_sender().any_messages_malicious_or_spam
66      and not profile.by_sender().any_false_positives
67    )
68  )
69  and not profile.by_sender().any_false_positives  
70
71attack_types:
72  - "BEC/Fraud"
73  - "Malware/Ransomware"
74tactics_and_techniques:
75  - "Social engineering"
76detection_methods:
77  - "Content analysis"
78  - "Natural Language Understanding"
79  - "Sender analysis"
80id: "e36b85b3-ffc6-5d73-b865-7dbdf9b4b1a0"
to-top