Benefits Enrollment Impersonation

  1name: "Benefits Enrollment Impersonation"
  2description: "Detects messages about benefit enrollment periods and healthcare selections from external senders that contain urgent language or requests for action. Excludes legitimate HR communications, marketing mailers, and trusted sender domains with valid authentication."
  3type: "rule"
  4severity: "high"
  5source: |
  6  type.inbound
  7  and sender.email.domain.domain not in $org_domains
  8  and (
  9    length(body.current_thread.text) < 2500 or body.current_thread.text is null
 10  )
 11  and (
 12    regex.icontains(subject.subject,
 13                    '(open|benefits?) enrol{1,2}ment', // catches both enrolment and enrollment
 14                    'benefit(s)? (plan|choice|selection|deadline|period)',
 15                    'hr benefits',
 16                    'annual enrol{1,2}ment',
 17                    'healthcare (choice|selection|opt.?in)',
 18                    '(fsa|hsa|401k) (enrol{1,2}ment|selection)',
 19                    'dependent (coverage|verification)',
 20                    '(health|dental|vision|insurance|medical) enrol{1,2}ment'
 21    )
 22    or regex.icontains(body.current_thread.text,
 23                       'benefit(s)? (plan|choice|selection|deadline|period)',
 24                       'hr benefits',
 25                       'annual enrol{1,2}ment',
 26                       'healthcare (choice|selection|opt.?in)',
 27                       '(fsa|hsa|401k) (enrol{1,2}ment|selection)',
 28                       'dependent (coverage|verification)',
 29                       '(health|dental|vision|insurance|medical) enrol{1,2}ment',
 30                       '(urgent|immediate) action required.{0,20}(benefit|enrol{1,2}ment)',
 31                       'coverage.{0,20}(expire|terminate)',
 32                       'last (day|chance).{0,20}(enrol{1,2}|select)',
 33                       '(login|sign.?in).{0,20}(benefit portal|hr portal)',
 34                       '(verify|update|confirm).{0,20}(benefit.{0,20}selection)'
 35    )
 36    or any(attachments,
 37           regex.icontains(.file_name,
 38                           'fileDoc-Review',
 39                           '(open|benefits?) enrol{1,2}ment',
 40                           'annual enrol{1,2}ment',
 41                           '(fsa|hsa|401k) (enrol{1,2}ment|selection)',
 42                           '(urgent|immediate) action required.{0,20}(benefit|enrol{1,2}ment)',
 43           )
 44    )
 45  )
 46  and 2 of (
 47    any(ml.nlu_classifier(body.current_thread.text).entities,
 48        .name in ("urgency", "request")
 49    ),
 50    any(ml.nlu_classifier(body.current_thread.text).intents, .name != "benign"),
 51    (
 52      (length(body.current_thread.text) < 250 and length(attachments) == 1)
 53      or (body.current_thread.text is null and length(attachments) == 1)
 54    ),
 55    // lure in attachment
 56    (
 57      any(attachments,
 58          (
 59            .file_type in $file_types_images
 60            or .file_type in ("pdf", "docx", "doc")
 61            or .file_extension in $file_extensions_macros
 62          )
 63          and any(filter(file.explode(.), .scan.ocr.raw is not null),
 64                  (
 65                    any(ml.nlu_classifier(.scan.ocr.raw).intents,
 66                        .name != "benign"
 67                    )
 68                    and any(ml.nlu_classifier(.scan.ocr.raw).entities,
 69                           .name in ("urgency", "request")
 70                    )
 71                  )
 72          )
 73      )
 74    )
 75  )
 76  // negate replies
 77  and (
 78    length(headers.references) == 0
 79    or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
 80  )
 81  
 82  // Negate common marketing mailers
 83  and not regex.icontains(sender.display_name,
 84                          'HR (?:Events|Expert|Support Center|Studies|Knowledge Cloud|News Library|Crowd|Solutions|Interests)|HR and People Operations'
 85  )
 86  and not (
 87    // Constant Contact
 88    any(headers.hops,
 89        strings.icontains(.authentication_results.spf_details.designator,
 90                          "constantcontact.com"
 91        )
 92    )
 93    or any(headers.hops,
 94           strings.icontains(.received_spf.designator, "constantcontact.com")
 95    )
 96    or (
 97      (
 98        any(headers.hops,
 99            .index == 0
100            and any(.authentication_results.dkim_details,
101                    .domain == "auth.ccsend.com"
102            )
103        )
104      )
105      and headers.auth_summary.dmarc.pass
106    )
107    or any(headers.references, strings.iends_with(., "ccsend.com"))
108    // Hubspot
109    or any(headers.hops,
110           strings.icontains(.authentication_results.spf_details.designator,
111                             "hubspotemail.net"
112           )
113    )
114  )
115  and sender.email.domain.root_domain not in~ (
116    'medicare.gov',
117    'farmers.com',
118    'uhc.com',
119    'blueshieldca.com',
120    'corestream.com'
121  )
122  and (
123    profile.by_sender().prevalence in ("new", "outlier")
124    or (
125      profile.by_sender().any_messages_malicious_or_spam
126      and not profile.by_sender().any_false_positives
127    )
128  )
129  // negate highly trusted sender domains unless they fail DMARC authentication
130  and (
131    (
132      sender.email.domain.root_domain in $high_trust_sender_root_domains
133      and not headers.auth_summary.dmarc.pass
134    )
135    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
136  )
137    
138attack_types:
139  - "Credential Phishing"
140tactics_and_techniques:
141  - "Evasion"
142  - "Impersonation: Employee"
143  - "Out of band pivot"
144  - "Social engineering"
145detection_methods:
146  - "Content analysis"
147  - "Header analysis"
148  - "Sender analysis"
149id: "5a6eb5a8-2d91-5ed8-a0d2-fb3cc2fef40b"