Employee impersonation with urgent request (untrusted sender)

calendar Jul 8, 2025  ·
Share on: linkedin copy

Sender is using a display name that matches the display name of someone in your organization.

Detects potential Business Email Compromise (BEC) attacks by analyzing text within email body from untrusted senders.

Sublime rule (View on GitHub)

 1name: "Employee impersonation with urgent request (untrusted sender)"
 2description: |
 3  Sender is using a display name that matches the display name of someone in your organization.
 4
 5  Detects potential Business Email Compromise (BEC) attacks by analyzing text within email body from untrusted senders.  
 6type: "rule"
 7severity: "medium"
 8source: |
 9  type.inbound
10
11  // ensure the display name contains a space to avoid single named process accounts eg. 'billing, payment'
12  and strings.contains(sender.display_name, " ")
13  and sender.display_name in~ $org_display_names
14  and (
15    any(ml.nlu_classifier(body.current_thread.text).intents,
16        .name == "bec" and .confidence == "high"
17    )
18    or (
19      (
20        any(ml.nlu_classifier(body.current_thread.text).entities,
21            .name == "urgency"
22        )
23        and any(ml.nlu_classifier(body.current_thread.text).entities,
24                .name == "request"
25        )
26      )
27      and not any(ml.nlu_classifier(body.current_thread.text).intents,
28                  .name == "benign" and .confidence == "high"
29      )
30      and (
31        (
32          // there are intents returned
33          any(ml.nlu_classifier(body.current_thread.text).intents, true)
34          // short body that also contains an org display name
35          or (
36            length(body.current_thread.text) > 200
37            and any(ml.nlu_classifier(body.current_thread.text).entities,
38                    .name == "sender" and .text in~ $org_display_names
39            )
40          )
41        )
42        and not strings.istarts_with(subject.subject, "fwd:")
43      )
44    )
45  )
46  and (
47    (
48      profile.by_sender().prevalence in ("new", "outlier")
49      and not profile.by_sender().solicited
50    )
51    or (
52      profile.by_sender().any_messages_malicious_or_spam
53      and not profile.by_sender().any_false_positives
54    )
55    or not headers.auth_summary.dmarc.pass
56  )
57  
58  // negate org domains unless they fail DMARC authentication
59  and (
60    (
61      sender.email.domain.root_domain in $org_domains
62      and not headers.auth_summary.dmarc.pass
63    )
64    or sender.email.domain.root_domain not in $org_domains
65  )
66  
67  // negate highly trusted sender domains unless they fail DMARC authentication
68  and (
69    (
70      sender.email.domain.root_domain in $high_trust_sender_root_domains
71      and not headers.auth_summary.dmarc.pass
72    )
73    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
74  )
75  
76  and not profile.by_sender().any_false_positives  
77
78
79attack_types:
80  - "BEC/Fraud"
81tactics_and_techniques:
82  - "Impersonation: Employee"
83  - "Social engineering"
84detection_methods:
85  - "Content analysis"
86  - "Header analysis"
87  - "Natural Language Understanding"
88  - "Sender analysis"
89id: "1ce9a146-1293-531e-bb02-0af7ad1b018e"
to-top