Impersonation: Employee name in subject with suspicious sender

Detects inbound messages where the sender is using a free email provider and their display name matches an known organizational display name. The sender's local part contains common organizational role keywords (mail, office, staff, executive), and the subject line matches the recipient's first name or display name, suggesting a targeted impersonation of an internal employee or executive.

Sublime rule (View on GitHub)

 1name: "Impersonation: Employee name in subject with suspicious sender"
 2description: "Detects inbound messages where the sender is using a free email provider and their display name matches an known organizational display name. The sender's local part contains common organizational role keywords (mail, office, staff, executive), and the subject line matches the recipient's first name or display name, suggesting a targeted impersonation of an internal employee or executive."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  // suspicious local part
 8  and strings.contains(sender.email.local_part,
 9                       'mail',
10                       'office',
11                       'staff',
12                       'executive'
13  )
14  and (mailbox.first_name == subject.base or mailbox.display_name == subject.base)
15  and strings.contains(sender.display_name, " ")
16  and sender.display_name in~ $org_display_names
17  and sender.email.domain.root_domain in $free_email_providers  
18attack_types:
19  - "BEC/Fraud"
20tactics_and_techniques:
21  - "Impersonation: Employee"
22  - "Impersonation: VIP"
23  - "Free email provider"
24  - "Social engineering"
25  - "Spoofing"
26detection_methods:
27  - "Sender analysis"
28  - "Content analysis"
29id: "bb0e78cc-e529-5bcc-b4af-524446e2c2ea"
to-top