Employee impersonation: Payroll fraud

calendar Apr 30, 2026  ยท
Share on: linkedin copy

This rule detects messages impersonating employees, from unsolicited senders attempting to reroute payroll or alter payment details.

Sublime rule (View on GitHub)

 1name: "Employee impersonation: Payroll fraud"
 2description: |
 3  This rule detects messages impersonating employees, from unsolicited senders attempting to reroute payroll
 4  or alter payment details.  
 5type: "rule"
 6severity: "high"
 7source: |
 8  type.inbound
 9
10  // ensure the display name contains a space to avoid single named process accounts eg. 'billing, payment'
11  and strings.contains(sender.display_name, " ")
12  and sender.display_name in~ $org_display_names
13  and length(attachments) == 0
14  and length(body.links) < 10
15  and length(body.current_thread.text) < 800
16  and (
17    sender.email.domain.root_domain not in $org_domains
18    or sender.email.domain.root_domain in $free_email_providers
19  )
20  and 1 of (
21    regex.icontains(body.current_thread.text,
22                    '(?:pay\s?(?:roll|check|date|day)|direct deposit|(?:acct|account) rephrase|paid.{0,50}problems|\bACH\b|\bdd\b|gehalt|salario|salary|employee self[-\s]?service|\bESS\b.{0,30}(?:portal|access|log[-\s]?in)|access.{0,30}(?:HR|employee).{0,30}portal)'
23    ),
24    regex.icontains(subject.subject,
25                    '(?:pay\s?(?:roll|check|date|day)|direct deposit|(?:acct|account) rephrase|paid.{0,50}problems|\bACH\b|\bdd\b|gehalt|salario|salary|employee self[-\s]?service|\bESS\b.{0,15}portal)'
26    )
27  )
28  and (
29    not profile.by_sender_email().solicited
30    or profile.by_sender().any_messages_malicious_or_spam
31  )
32  and not profile.by_sender().any_messages_benign
33  
34  // negate highly trusted sender domains unless they fail DMARC authentication
35  and (
36    (
37      sender.email.domain.root_domain in $high_trust_sender_root_domains
38      and (
39        any(distinct(headers.hops, .authentication_results.dmarc is not null),
40            strings.ilike(.authentication_results.dmarc, "*fail")
41        )
42      )
43    )
44    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
45  )  
46
47attack_types:
48  - "BEC/Fraud"
49tactics_and_techniques:
50  - "Impersonation: Employee"
51  - "Free email provider"
52  - "Social engineering"
53detection_methods:
54  - "Content analysis"
55  - "Sender analysis"
56id: "2beb7d85-dfe3-5ecc-9b2a-d7416a3ef992"
to-top