Employee Impersonation: Payroll Fraud
This rule detects messages impersonating employees, from unsolicited senders attempting to reroute payroll or alter payment details.
Sublime rule (View on GitHub)
1name: "Employee Impersonation: Payroll Fraud"
2description: |
3 This rule detects messages impersonating employees, from unsolicited senders attempting to reroute payroll
4 or alter payment details.
5type: "rule"
6severity: "high"
7source: |
8 type.inbound
9
10 // ensure the display name contains a space to avoid single named process accounts eg. 'billing, payment'
11 and strings.contains(sender.display_name, " ")
12 and sender.display_name in~ $org_display_names
13 and length(attachments) == 0
14 and length(body.links) < 10
15 and length(body.current_thread.text) < 800
16 and (
17 sender.email.domain.root_domain not in $org_domains
18 or sender.email.domain.root_domain in $free_email_providers
19 )
20 and 1 of (
21 regex.icontains(body.current_thread.text,
22 '(pay\s?(roll|check|date|day)|direct deposit|(acct|account) rephrase|paid.{0,50}problems|\bACH\b|\bdd\b|gehalt|salario|salary)'
23 ),
24 regex.icontains(subject.subject,
25 '(pay\s?(roll|check|date|day)|direct deposit|(acct|account) rephrase|paid.{0,50}problems|\bACH\b|\bdd\b|gehalt|salario|salary)'
26 )
27 )
28 and (
29 not profile.by_sender_email().solicited
30 or (
31 profile.by_sender().any_messages_malicious_or_spam
32 and not profile.by_sender().any_false_positives
33 )
34 )
35 and not profile.by_sender().any_false_positives
36
37 // negate highly trusted sender domains unless they fail DMARC authentication
38 and (
39 (
40 sender.email.domain.root_domain in $high_trust_sender_root_domains
41 and (
42 any(distinct(headers.hops, .authentication_results.dmarc is not null),
43 strings.ilike(.authentication_results.dmarc, "*fail")
44 )
45 )
46 )
47 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
48 )
49
50attack_types:
51 - "BEC/Fraud"
52tactics_and_techniques:
53 - "Impersonation: Employee"
54 - "Free email provider"
55 - "Social engineering"
56detection_methods:
57 - "Content analysis"
58 - "Sender analysis"
59id: "2beb7d85-dfe3-5ecc-9b2a-d7416a3ef992"