Impersonation: Australian Federal Police with criminal case language

calendar Jun 4, 2026  ·
Share on: linkedin copy

Detects messages impersonating the Australian Federal Police using law enforcement terminology in the subject and sender display name, combined with official correspondence language including case references, investigation details, and compliance demands.

Sublime rule (View on GitHub)

 1name: "Impersonation: Australian Federal Police with criminal case language"
 2description: "Detects messages impersonating the Australian Federal Police using law enforcement terminology in the subject and sender display name, combined with official correspondence language including case references, investigation details, and compliance demands."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and (
 8    strings.ilike(subject.base, '*afp*')
 9    or strings.ilike(subject.base, '*australian federal police*')
10  )
11  and (
12    2 of (
13      strings.ilike(subject.base, '*case*'),
14      strings.ilike(subject.base, '*investigation*'),
15      strings.ilike(subject.base, '*law enforcement*'),
16      strings.ilike(subject.base, '*management*'),
17      strings.ilike(subject.base, '*notice*'),
18      strings.ilike(subject.base, '*reference*')
19    )
20  )
21  and (
22    regex.icontains(body.current_thread.text, 'investigation|correspondence')
23    and regex.icontains(body.current_thread.text, 'case (?:reference|type)')
24  )  
25
26attack_types:
27  - "BEC/Fraud"
28  - "Extortion"
29tactics_and_techniques:
30  - "Impersonation: Brand"
31  - "Social engineering"
32detection_methods:
33  - "Content analysis"
34  - "Header analysis"
35  - "Natural Language Understanding"
36  - "Sender analysis"
37id: "1f712b4c-597b-53a4-b9b8-fc3d77d9086e"
to-top