Impersonation: Employee using fabricated identity in initial contact
Detects inbound messages that appear to be initial contact attempts where the sender uses a display name that doesn't match their email address, includes basic greetings referencing the subject line, and signs off with their display name. The message is short with no attachments, suggesting a social engineering setup for further communication.
Sublime rule (View on GitHub)
1name: "Impersonation: Employee using fabricated identity in initial contact"
2description: "Detects inbound messages that appear to be initial contact attempts where the sender uses a display name that doesn't match their email address, includes basic greetings referencing the subject line, and signs off with their display name. The message is short with no attachments, suggesting a social engineering setup for further communication."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 // not a reply thread — this is initial contact
8 and length(headers.references) == 0
9 // short body, no attachments — initial contact social engineering
10 and length(body.current_thread.text) < 500
11 and length(attachments) == 0
12 // contains basic greeting
13 and any(["Hey", "Hi", "Hello"],
14 strings.starts_with(body.current_thread.text,
15 strings.concat(.,
16 " ",
17 regex.extract(subject.base,
18 '^\P{L}*([\p{L}''-]+)'
19 )[0].groups[0],
20 ",\n"
21 )
22 )
23 )
24 // ends with the senders display name
25 and strings.ends_with(body.current_thread.text,
26 strings.concat("\n", sender.display_name, ".")
27 )
28 // sender display name not in the actual email address local part
29 and any(regex.iextract(sender.display_name, '\w+'),
30 .full_match not in~ (sender.email.local_part)
31 )
32attack_types:
33 - "BEC/Fraud"
34tactics_and_techniques:
35 - "Impersonation: Employee"
36 - "Social engineering"
37detection_methods:
38 - "Content analysis"
39 - "Sender analysis"
40id: "562d02fd-c96e-5954-ae4a-a5e185f1d498"