Employee impersonation: Payroll fraud
This rule detects messages impersonating employees, from unsolicited senders attempting to reroute payroll or alter payment details.
Sublime rule (View on GitHub)
1name: "Employee impersonation: Payroll fraud"
2description: |
3 This rule detects messages impersonating employees, from unsolicited senders attempting to reroute payroll
4 or alter payment details.
5type: "rule"
6severity: "high"
7source: |
8 type.inbound
9 // ensure the display name contains a space to avoid single named process accounts eg. 'billing, payment'
10 and strings.contains(sender.display_name, " ")
11 and (
12 sender.display_name in~ $org_display_names
13 or subject.base in~ $org_display_names
14 )
15 and length(attachments) == 0
16 and length(body.links) < 10
17 and (
18 length(body.current_thread.text) < 800
19 or (
20 any(map(filter(ml.nlu_classifier(body.current_thread.text).entities,
21 .name == "disclaimer"
22 ),
23 .text
24 ),
25 (length(body.current_thread.text) - length(.)) < 800
26 )
27 )
28 )
29 and (
30 sender.email.domain.root_domain not in $org_domains
31 or sender.email.domain.root_domain in $free_email_providers
32 )
33 and 1 of (
34 regex.icontains(body.current_thread.text,
35 '(?:pay\s?(?:roll|check|date|day)|direct deposit|(?:acct|account) rephrase|paid.{0,50}problems|\bACH\b|\bdd\b|gehalt|salario|salary|employee self[-\s]?service|\bESS\b.{0,30}(?:portal|access|log[-\s]?in)|access.{0,30}(?:HR|employee).{0,30}portal)'
36 ),
37 regex.icontains(subject.subject,
38 '(?:pay\s?(?:roll|check|date|day)|direct deposit|(?:acct|account) rephrase|paid.{0,50}problems|\bACH\b|\bdd\b|gehalt|salario|salary|employee self[-\s]?service|\bESS\b.{0,15}portal)'
39 )
40 )
41
42 // sender profile negations
43 and (
44 not profile.by_sender_email().solicited
45 or profile.by_sender().any_messages_malicious_or_spam
46 )
47 and not profile.by_sender().any_messages_benign
48
49 // negate highly trusted sender domains unless they fail DMARC authentication
50 and (
51 (
52 sender.email.domain.root_domain in $high_trust_sender_root_domains
53 and (
54 any(distinct(headers.hops, .authentication_results.dmarc is not null),
55 strings.ilike(.authentication_results.dmarc, "*fail")
56 )
57 )
58 )
59 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
60 )
61
62 // negate legitimate conversations
63 and not (
64 (
65 length(headers.references) > 0
66 or headers.in_reply_to is not null
67 or (
68 any(headers.hops,
69 any(.fields,
70 strings.ilike(.name, "x-autoreply")
71 and strings.ilike(.value, "yes")
72 )
73 )
74 )
75 )
76 // previous thread present
77 and (
78 (
79 (subject.is_forward or subject.is_reply)
80 and length(body.previous_threads) >= 1
81 )
82 // automatic reply structure
83 or (
84 strings.istarts_with(subject.base, "automatic reply")
85 or strings.istarts_with(subject.base, "out of office")
86 )
87 )
88 )
89
90 // ignore personal <> work emails
91 and not (
92 length(recipients.to) == 1
93 and sender.email.domain.valid
94 and all(headers.reply_to, .email.email == sender.email.email)
95 and sender.display_name == mailbox.display_name
96 )
97
98 // topic negations
99 and not any(ml.nlu_classifier(body.current_thread.text).topics,
100 .name == "Advertising and Promotions"
101 )
102
103attack_types:
104 - "BEC/Fraud"
105tactics_and_techniques:
106 - "Impersonation: Employee"
107 - "Free email provider"
108 - "Social engineering"
109detection_methods:
110 - "Content analysis"
111 - "Sender analysis"
112id: "2beb7d85-dfe3-5ecc-9b2a-d7416a3ef992"