Employee Impersonation: Payroll Fraud

calendar Dec 16, 2024  ยท
Share on: linkedin copy

This rule detects messages impersonating employees, from unsolicited senders attempting to reroute payroll or alter payment details.

Sublime rule (View on GitHub)

 1name: "Employee Impersonation: Payroll Fraud"
 2description: |
 3  This rule detects messages impersonating employees, from unsolicited senders attempting to reroute payroll
 4  or alter payment details.  
 5type: "rule"
 6severity: "high"
 7source: |
 8  type.inbound
 9  
10  // ensure the display name contains a space to avoid single named process accounts eg. 'billing, payment'
11  and strings.contains(sender.display_name, " ")
12  and sender.display_name in~ $org_display_names
13  and length(attachments) == 0
14  and length(body.links) < 10
15  and length(body.current_thread.text) < 800
16  and (
17    sender.email.domain.root_domain not in $org_domains
18    or sender.email.domain.root_domain in $free_email_providers
19  )
20  and 1 of (
21    regex.icontains(body.current_thread.text,
22                    '(pay\s?(roll|check|date|day)|direct deposit|(acct|account) rephrase|paid.{0,50}problems|\bACH\b|\bdd\b|gehalt|salario|salary)'
23    ),
24    regex.icontains(subject.subject,
25                    '(pay\s?(roll|check|date|day)|direct deposit|(acct|account) rephrase|paid.{0,50}problems|\bACH\b|\bdd\b|gehalt|salario|salary)'
26    )
27  )
28  and (
29    not profile.by_sender_email().solicited
30    or (
31      profile.by_sender().any_messages_malicious_or_spam
32      and not profile.by_sender().any_false_positives
33    )
34  )
35  and not profile.by_sender().any_false_positives
36  
37  // negate highly trusted sender domains unless they fail DMARC authentication
38  and (
39    (
40      sender.email.domain.root_domain in $high_trust_sender_root_domains
41      and (
42        any(distinct(headers.hops, .authentication_results.dmarc is not null),
43            strings.ilike(.authentication_results.dmarc, "*fail")
44        )
45      )
46    )
47    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
48  )  
49
50attack_types:
51  - "BEC/Fraud"
52tactics_and_techniques:
53  - "Impersonation: Employee"
54  - "Free email provider"
55  - "Social engineering"
56detection_methods:
57  - "Content analysis"
58  - "Sender analysis"
59id: "2beb7d85-dfe3-5ecc-9b2a-d7416a3ef992"
to-top