Employee impersonation with urgent request (untrusted sender)
Sender is using a display name that matches the display name of someone in your organization.
Detects potential Business Email Compromise (BEC) attacks by analyzing text within email body from untrusted senders.
Sublime rule (View on GitHub)
1name: "Employee impersonation with urgent request (untrusted sender)"
2description: |
3 Sender is using a display name that matches the display name of someone in your organization.
4
5 Detects potential Business Email Compromise (BEC) attacks by analyzing text within email body from untrusted senders.
6type: "rule"
7severity: "medium"
8source: |
9 type.inbound
10
11 // ensure the display name contains a space to avoid single named process accounts eg. 'billing, payment'
12 and strings.contains(sender.display_name, " ")
13 and sender.display_name in~ $org_display_names
14 and (
15 any(ml.nlu_classifier(body.current_thread.text).intents,
16 .name == "bec" and .confidence == "high"
17 )
18 or (
19 (
20 any(ml.nlu_classifier(body.current_thread.text).entities,
21 .name == "urgency"
22 )
23 and any(ml.nlu_classifier(body.current_thread.text).entities,
24 .name == "request"
25 )
26 )
27 and not any(ml.nlu_classifier(body.current_thread.text).intents,
28 .name == "benign" and .confidence == "high"
29 )
30 and (
31 (
32 // there are intents returned
33 any(ml.nlu_classifier(body.current_thread.text).intents, true)
34 // short body that also contains an org display name
35 or (
36 length(body.current_thread.text) > 200
37 and any(ml.nlu_classifier(body.current_thread.text).entities,
38 .name == "sender" and .text in~ $org_display_names
39 )
40 )
41 )
42 and not strings.istarts_with(subject.subject, "fwd:")
43 )
44 )
45 )
46 and (
47 (
48 profile.by_sender().prevalence in ("new", "outlier")
49 and not profile.by_sender().solicited
50 )
51 or (
52 profile.by_sender().any_messages_malicious_or_spam
53 and not profile.by_sender().any_false_positives
54 )
55 or not headers.auth_summary.dmarc.pass
56 )
57
58 // negate org domains unless they fail DMARC authentication
59 and (
60 (
61 sender.email.domain.root_domain in $org_domains
62 and not headers.auth_summary.dmarc.pass
63 )
64 or sender.email.domain.root_domain not in $org_domains
65 )
66
67 // negate highly trusted sender domains unless they fail DMARC authentication
68 and (
69 (
70 sender.email.domain.root_domain in $high_trust_sender_root_domains
71 and not headers.auth_summary.dmarc.pass
72 )
73 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
74 )
75
76 and not profile.by_sender().any_false_positives
77
78
79attack_types:
80 - "BEC/Fraud"
81tactics_and_techniques:
82 - "Impersonation: Employee"
83 - "Social engineering"
84detection_methods:
85 - "Content analysis"
86 - "Header analysis"
87 - "Natural Language Understanding"
88 - "Sender analysis"
89id: "1ce9a146-1293-531e-bb02-0af7ad1b018e"