Fake request for tax preparation

 1name: "Fake request for tax preparation"
 2description: "Unknown sender requesting assistance with tax preparation. This is associated with known threat actor activity, TA576."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and length(body.current_thread.text) < 1000
 8  // there are no links, all the links are to aka.ms, or an extraction from a warning banner that match the senders domain
 9  and (
10    length(body.links) == 0
11    or length(filter(body.links,
12                     (
13                       .display_text is null
14                       and .display_url.url == sender.email.domain.root_domain
15                     )
16                     or .href_url.domain.domain == "aka.ms"
17                     or network.whois(.display_url.domain).days_old < 30
18              )
19    ) == length(body.links)
20  )
21  and length(attachments) == 0
22  and strings.ilike(subject.subject, "*tax*")
23  and strings.icontains(body.current_thread.text, "tax")
24  and strings.like(body.current_thread.text, "*return*", "*record*", "*CPA*")
25  and (
26    strings.ilike(body.current_thread.text,
27                  "*necessary documents*",
28                  "*required documents*",
29                  "*in search of*",
30                  "*tax service*",
31                  "*prepare*tax return*",
32                  "*service*tax return*"
33    )
34  )
35  and (
36    (
37      profile.by_sender().prevalence in ("new", "outlier")
38      and not profile.by_sender().solicited
39    )
40    or (
41      profile.by_sender().any_messages_malicious_or_spam
42      and not profile.by_sender().any_false_positives
43    )
44  )
45  and not profile.by_sender().any_false_positives  
46
47attack_types:
48  - "BEC/Fraud"
49  - "Malware/Ransomware"
50tactics_and_techniques:
51  - "Social engineering"
52detection_methods:
53  - "Content analysis"
54  - "Natural Language Understanding"
55  - "Sender analysis"
56id: "e36b85b3-ffc6-5d73-b865-7dbdf9b4b1a0"