Benefits enrollment impersonation

  1name: "Benefits enrollment impersonation"
  2description: "Detects messages about benefit enrollment periods and healthcare selections from external senders that contain urgent language or requests for action. Excludes legitimate HR communications, marketing mailers, and trusted sender domains with valid authentication."
  3type: "rule"
  4severity: "high"
  5source: |
  6  type.inbound
  7  and sender.email.domain.domain not in $org_domains
  8  and (
  9    length(body.current_thread.text) < 5000 or body.current_thread.text is null
 10  )
 11  and (
 12    regex.icontains(subject.subject,
 13                    '(open|benefits?) enrol{1,2}ment', // catches both enrolment and enrollment
 14                    'benefit(s)?.{0,10}(?:plan|choice|selection|deadline|period|summary)',
 15                    'hr benefits',
 16                    'annual enrol{1,2}ment',
 17                    'healthcare (choice|selection|opt.?in)',
 18                    '(fsa|hsa|401k) (enrol{1,2}ment|selection)',
 19                    'dependent (coverage|verification)',
 20                    '(health|dental|vision|insurance|medical) enrol{1,2}ment'
 21    )
 22    or regex.icontains(body.current_thread.text,
 23                       'benefit(s)? (plan|choice|selection|deadline|period)',
 24                       'hr benefits',
 25                       'annual enrol{1,2}ment',
 26                       'healthcare (choice|selection|opt.?in)',
 27                       '(fsa|hsa|401k) (enrol{1,2}ment|selection)',
 28                       'dependent (coverage|verification)',
 29                       '(health|dental|vision|insurance|medical) enrol{1,2}ment',
 30                       '(urgent|immediate) action required.{0,20}(benefit|enrol{1,2}ment)',
 31                       'coverage.{0,20}(expire|terminate)',
 32                       'last (day|chance).{0,20}(enrol{1,2}|select)',
 33                       '(login|sign.?in).{0,20}(benefit portal|hr portal)',
 34                       '(verify|update|confirm).{0,20}(benefit.{0,20}selection)'
 35    )
 36    or any(attachments,
 37           regex.icontains(.file_name,
 38                           'fileDoc-Review',
 39                           '(open|benefits?) enrol{1,2}ment',
 40                           'annual enrol{1,2}ment',
 41                           '(fsa|hsa|401k) (enrol{1,2}ment|selection)',
 42                           '(urgent|immediate) action required.{0,20}(benefit|enrol{1,2}ment)',
 43           )
 44    )
 45  )
 46  and 2 of (
 47    any(ml.nlu_classifier(body.current_thread.text).entities,
 48        .name in ("urgency", "request")
 49    ),
 50    any(ml.nlu_classifier(body.current_thread.text).intents, .name != "benign"),
 51    (
 52      (length(body.current_thread.text) < 250 and length(attachments) == 1)
 53      or (body.current_thread.text is null and length(attachments) == 1)
 54    ),
 55    // lure in attachment
 56    (
 57      any(attachments,
 58          (
 59            .file_type in $file_types_images
 60            or .file_type in ("pdf", "docx", "doc")
 61            or .file_extension in $file_extensions_macros
 62          )
 63          and any(filter(file.explode(.), .scan.ocr.raw is not null),
 64                  (
 65                    any(ml.nlu_classifier(.scan.ocr.raw).intents,
 66                        .name != "benign"
 67                    )
 68                    and any(ml.nlu_classifier(.scan.ocr.raw).entities,
 69                            .name in ("urgency", "request")
 70                    )
 71                  )
 72          )
 73      )
 74    )
 75  )
 76  // negate replies
 77  and (length(headers.references) == 0 or headers.in_reply_to is null)
 78  
 79  // Negate common marketing mailers
 80  and not regex.icontains(sender.display_name,
 81                          'HR (?:Events|Expert|Support Center|Studies|Knowledge Cloud|News Library|Crowd|Solutions|Interests)|HR and People Operations'
 82  )
 83  and not (
 84    // Constant Contact
 85    any(headers.hops,
 86        strings.icontains(.authentication_results.spf_details.designator,
 87                          "constantcontact.com"
 88        )
 89    )
 90    or any(headers.hops,
 91           strings.icontains(.received_spf.designator, "constantcontact.com")
 92    )
 93    or (
 94      (
 95        any(headers.hops,
 96            .index == 0
 97            and any(.authentication_results.dkim_details,
 98                    .domain == "auth.ccsend.com"
 99            )
100        )
101      )
102      and headers.auth_summary.dmarc.pass
103    )
104    or any(headers.references, strings.iends_with(., "ccsend.com"))
105    // Hubspot
106    or any(headers.hops,
107           strings.icontains(.authentication_results.spf_details.designator,
108                             "hubspotemail.net"
109           )
110    )
111  )
112  and sender.email.domain.root_domain not in~ (
113    'medicare.gov',
114    'farmers.com',
115    'uhc.com',
116    'blueshieldca.com',
117    'corestream.com'
118  )
119  and (
120    profile.by_sender().prevalence in ("new", "outlier")
121    or (
122      profile.by_sender().any_messages_malicious_or_spam
123      and not profile.by_sender().any_messages_benign
124    )
125  )
126  // negate highly trusted sender domains unless they fail DMARC authentication
127  and (
128    (
129      sender.email.domain.root_domain in $high_trust_sender_root_domains
130      and not headers.auth_summary.dmarc.pass
131    )
132    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
133  )  
134attack_types:
135  - "Credential Phishing"
136tactics_and_techniques:
137  - "Evasion"
138  - "Impersonation: Employee"
139  - "Out of band pivot"
140  - "Social engineering"
141detection_methods:
142  - "Content analysis"
143  - "Header analysis"
144  - "Sender analysis"
145id: "5a6eb5a8-2d91-5ed8-a0d2-fb3cc2fef40b"