Employee impersonation: Payroll fraud

This rule detects messages impersonating employees, from unsolicited senders attempting to reroute payroll or alter payment details.

Sublime rule (View on GitHub)

  1name: "Employee impersonation: Payroll fraud"
  2description: |
  3  This rule detects messages impersonating employees, from unsolicited senders attempting to reroute payroll
  4  or alter payment details.  
  5type: "rule"
  6severity: "high"
  7source: |
  8  type.inbound
  9  // ensure the display name contains a space to avoid single named process accounts eg. 'billing, payment'
 10  and strings.contains(sender.display_name, " ")
 11  and (
 12    sender.display_name in~ $org_display_names
 13    or subject.base in~ $org_display_names
 14  )
 15  and length(attachments) == 0
 16  and length(body.links) < 10
 17  and (
 18    length(body.current_thread.text) < 800
 19    or (
 20      any(map(filter(ml.nlu_classifier(body.current_thread.text).entities,
 21                     .name == "disclaimer"
 22              ),
 23              .text
 24          ),
 25          (length(body.current_thread.text) - length(.)) < 800
 26      )
 27    )
 28  )
 29  and (
 30    sender.email.domain.root_domain not in $org_domains
 31    or sender.email.domain.root_domain in $free_email_providers
 32  )
 33  and 1 of (
 34    regex.icontains(body.current_thread.text,
 35                    '(?:pay\s?(?:roll|check|date|day)|direct deposit|(?:acct|account) rephrase|paid.{0,50}problems|\bACH\b|\bdd\b|gehalt|salario|salary|employee self[-\s]?service|\bESS\b.{0,30}(?:portal|access|log[-\s]?in)|access.{0,30}(?:HR|employee).{0,30}portal)'
 36    ),
 37    regex.icontains(subject.subject,
 38                    '(?:pay\s?(?:roll|check|date|day)|direct deposit|(?:acct|account) rephrase|paid.{0,50}problems|\bACH\b|\bdd\b|gehalt|salario|salary|employee self[-\s]?service|\bESS\b.{0,15}portal)'
 39    )
 40  )
 41  
 42  // sender profile negations
 43  and (
 44    not profile.by_sender_email().solicited
 45    or profile.by_sender().any_messages_malicious_or_spam
 46  )
 47  and not profile.by_sender().any_messages_benign
 48  
 49  // negate highly trusted sender domains unless they fail DMARC authentication
 50  and (
 51    (
 52      sender.email.domain.root_domain in $high_trust_sender_root_domains
 53      and (
 54        any(distinct(headers.hops, .authentication_results.dmarc is not null),
 55            strings.ilike(.authentication_results.dmarc, "*fail")
 56        )
 57      )
 58    )
 59    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
 60  )
 61  
 62  // negate legitimate conversations
 63  and not (
 64    (
 65      length(headers.references) > 0
 66      or headers.in_reply_to is not null
 67      or (
 68        any(headers.hops,
 69            any(.fields,
 70                strings.ilike(.name, "x-autoreply")
 71                and strings.ilike(.value, "yes")
 72            )
 73        )
 74      )
 75    )
 76    // previous thread present
 77    and (
 78      (
 79        (subject.is_forward or subject.is_reply)
 80        and length(body.previous_threads) >= 1
 81      )
 82      // automatic reply structure
 83      or (
 84        strings.istarts_with(subject.base, "automatic reply")
 85        or strings.istarts_with(subject.base, "out of office")
 86      )
 87    )
 88  )
 89  
 90  // ignore personal <> work emails
 91  and not (
 92    length(recipients.to) == 1
 93    and sender.email.domain.valid
 94    and all(headers.reply_to, .email.email == sender.email.email)
 95    and sender.display_name == mailbox.display_name
 96  )
 97  
 98  // topic negations
 99  and not any(ml.nlu_classifier(body.current_thread.text).topics,
100              .name == "Advertising and Promotions"
101  )  
102
103attack_types:
104  - "BEC/Fraud"
105tactics_and_techniques:
106  - "Impersonation: Employee"
107  - "Free email provider"
108  - "Social engineering"
109detection_methods:
110  - "Content analysis"
111  - "Sender analysis"
112id: "2beb7d85-dfe3-5ecc-9b2a-d7416a3ef992"
to-top