BEC: Employee impersonation with subject manipulation
Subject matches the display name of someone in your organization, and the body resembles a BEC attack.
Sublime rule (View on GitHub)
1name: "BEC: Employee impersonation with subject manipulation"
2description: |
3 Subject matches the display name of someone in your organization, and the body resembles a BEC attack.
4type: "rule"
5severity: "high"
6source: |
7 type.inbound
8
9 // attacks have been observed where the impersonation is
10 // in the subject, and the display name contains what a
11 // subject typically would contain. this is an attempt to
12 // bypass impersonation detections
13 and subject.subject in~ $org_display_names
14 and any(ml.nlu_classifier(body.current_thread.text).intents,
15 .name == "bec" and .confidence in ("medium", "high")
16 )
17 and (
18 not profile.by_sender().solicited
19 or (
20 profile.by_sender().any_messages_malicious_or_spam
21 and not profile.by_sender().any_false_positives
22 )
23 )
24
25attack_types:
26 - "BEC/Fraud"
27tactics_and_techniques:
28 - "Impersonation: Employee"
29 - "Social engineering"
30detection_methods:
31 - "Content analysis"
32 - "Natural Language Understanding"
33 - "Sender analysis"
34id: "9adfc77b-cabe-5ef8-b1ed-6ad5d682447f"