Employee Impersonation: Payroll Fraud
This rule detects messages impersonating employees, from unsolicited senders attempting to reroute payroll or alter payment details.
Sublime rule (View on GitHub)
1name: "Employee Impersonation: Payroll Fraud"
2description: |
3 This rule detects messages impersonating employees, from unsolicited senders attempting to reroute payroll
4 or alter payment details.
5type: "rule"
6severity: "medium"
7source: |
8 type.inbound
9 and sender.display_name in $org_display_names
10 and length(attachments) == 0
11 and length(body.plain.raw) < 300
12 and (
13 sender.email.domain.root_domain not in $org_domains
14 or sender.email.domain.root_domain in $free_email_providers
15 )
16 and 1 of (
17 regex.icontains(body.plain.raw,
18 '(pay\s?(roll|check|date|day)|direct deposit|\bdd\b|gehalt|salario|salary)'
19 ),
20 regex.icontains(body.html.inner_text,
21 '(pay\s?(roll|check|date|day)|direct deposit|\bdd\b|gehalt|salario|salary)'
22 ),
23 regex.icontains(subject.subject,
24 '(pay\s?(roll|check|date|day)|direct deposit|\bdd\b|gehalt|salario|salary)'
25 )
26 )
27 and (
28 (
29 sender.email.domain.root_domain in $free_email_providers
30 and sender.email.email not in $recipient_emails
31 )
32 or (
33 sender.email.domain.root_domain not in $free_email_providers
34 and sender.email.domain.domain not in $recipient_domains
35 )
36 )
37attack_types:
38 - "BEC/Fraud"
39tactics_and_techniques:
40 - "Impersonation: Employee"
41 - "Free email provider"
42 - "Social engineering"
43detection_methods:
44 - "Content analysis"
45 - "Sender analysis"
46id: "2beb7d85-dfe3-5ecc-9b2a-d7416a3ef992"