BEC: Employee impersonation with subject manipulation

Subject matches the display name of someone in your organization, and the body resembles a BEC attack.

Sublime rule (View on GitHub)

 1name: "BEC: Employee impersonation with subject manipulation"
 2description: |
 3    Subject matches the display name of someone in your organization, and the body resembles a BEC attack.
 4type: "rule"
 5severity: "high"
 6source: |
 7  type.inbound
 8
 9  // attacks have been observed where the impersonation is
10  // in the subject, and the display name contains what a
11  // subject typically would contain. this is an attempt to
12  // bypass impersonation detections
13  and subject.subject in~ $org_display_names
14  and any(ml.nlu_classifier(body.current_thread.text).intents,
15          .name == "bec" and .confidence in ("medium", "high")
16  )
17  and (
18    not profile.by_sender().solicited
19    or (
20      profile.by_sender().any_messages_malicious_or_spam
21      and not profile.by_sender().any_false_positives
22    )
23  )  
24
25attack_types:
26  - "BEC/Fraud"
27tactics_and_techniques:
28  - "Impersonation: Employee"
29  - "Social engineering"
30detection_methods:
31  - "Content analysis"
32  - "Natural Language Understanding"
33  - "Sender analysis"
34id: "9adfc77b-cabe-5ef8-b1ed-6ad5d682447f"
to-top