Fake request for tax preparation

calendar Mar 12, 2025  ยท
Share on: linkedin copy

Unknown sender requesting assistance with tax preparation. This is associated with known threat actor activity, TA576.

Sublime rule (View on GitHub)

 1name: "Fake request for tax preparation"
 2description: "Unknown sender requesting assistance with tax preparation. This is associated with known threat actor activity, TA576."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and length(body.current_thread.text) < 1250
 8  // there are no links, all the links are to aka.ms, or an extraction from a warning banner that match the senders domain
 9  and (
10    length(body.links) == 0
11    or length(filter(body.links,
12                     (
13                       .display_text is null
14                       and .display_url.url == sender.email.domain.root_domain
15                     )
16                     or .href_url.domain.domain == "aka.ms"
17                     or network.whois(.display_url.domain).days_old < 30
18              )
19    ) == length(body.links)
20  )
21  and length(attachments) == 0
22  and strings.ilike(subject.subject, "*tax*") 
23  and strings.icontains(body.current_thread.text, "tax")
24  and (
25    strings.like(body.current_thread.text,
26                 "*return*",
27                 "*record*",
28                 "*CPA*",
29                 "*filing*",
30                 "*extension*"
31    )
32    or strings.ilike(body.current_thread.text, "*tax preparer*", "*tax*processing*")
33  )
34  and (
35    strings.ilike(body.current_thread.text,
36                  "*necessary documents*",
37                  "*required documents*",
38                  "*paperwork*need*",
39                  "*in search of*",
40                  "*tax service*",
41                  "*professional help*",
42                  "*prepare*tax return*",
43                  "*service*tax return*",
44                  "*seeking*tax preparer*",
45                  "*assist*processing*tax*",
46                  "*schedule*call*",
47                  "*zoom meeting*",
48                  "*discuss*fees*"
49    )
50    // suspicious patterns
51    or (
52      strings.icontains(body.current_thread.text, sender.display_name)
53      and 2 of (
54        (
55          length(headers.reply_to) > 0
56          and all(headers.reply_to,
57                  .email.domain.root_domain != sender.email.domain.root_domain
58          )
59        ),
60        (
61          headers.return_path.email is not null
62          and headers.return_path.email != sender.email.email
63        ),
64        headers.return_path.domain.root_domain in ("amazonses.com")
65      )
66    )
67  )
68  and (
69    (
70      profile.by_sender().prevalence in ("new", "outlier")
71      and not profile.by_sender().solicited
72    )
73    or (
74      profile.by_sender().any_messages_malicious_or_spam
75      and not profile.by_sender().any_false_positives
76    )
77  )
78  and not profile.by_sender().any_false_positives  
79
80attack_types:
81  - "BEC/Fraud"
82  - "Malware/Ransomware"
83tactics_and_techniques:
84  - "Social engineering"
85detection_methods:
86  - "Content analysis"
87  - "Natural Language Understanding"
88  - "Sender analysis"
89id: "e36b85b3-ffc6-5d73-b865-7dbdf9b4b1a0"
to-top