Employee Impersonation: Payroll Fraud

 1name: "Employee Impersonation: Payroll Fraud"
 2description: |
 3  This rule detects messages impersonating employees, from unsolicited senders attempting to reroute payroll
 4  or alter payment details.  
 5type: "rule"
 6severity: "medium"
 7source: |
 8  type.inbound
 9  and sender.display_name in $org_display_names
10  and length(attachments) == 0
11  and length(body.plain.raw) < 300
12  and (
13    sender.email.domain.root_domain not in $org_domains
14    or sender.email.domain.root_domain in $free_email_providers
15  )
16  and 1 of (
17    regex.icontains(body.plain.raw,
18                    '(pay\s?(roll|check|date|day)|direct deposit|\bdd\b|gehalt|salario|salary)'
19    ),
20    regex.icontains(body.html.inner_text,
21                    '(pay\s?(roll|check|date|day)|direct deposit|\bdd\b|gehalt|salario|salary)'
22    ),
23    regex.icontains(subject.subject,
24                    '(pay\s?(roll|check|date|day)|direct deposit|\bdd\b|gehalt|salario|salary)'
25    )
26  )
27  and (
28    (
29      sender.email.domain.root_domain in $free_email_providers
30      and sender.email.email not in $recipient_emails
31    )
32    or (
33      sender.email.domain.root_domain not in $free_email_providers
34      and sender.email.domain.domain not in $recipient_domains
35    )
36  )  
37attack_types:
38  - "BEC/Fraud"
39tactics_and_techniques:
40  - "Impersonation: Employee"
41  - "Free email provider"
42  - "Social engineering"
43detection_methods:
44  - "Content analysis"
45  - "Sender analysis"
46id: "2beb7d85-dfe3-5ecc-9b2a-d7416a3ef992"