Employee impersonation with urgent request (untrusted sender)

calendar Apr 23, 2024  ·
Share on: linkedin copy

Sender is using a display name that matches the display name of someone in your organization.

Detects potential Business Email Compromise (BEC) attacks by analyzing text within email body from untrusted senders.

Sublime rule (View on GitHub)

 1name: "Employee impersonation with urgent request (untrusted sender)"
 2description: |
 3  Sender is using a display name that matches the display name of someone in your organization.
 4
 5  Detects potential Business Email Compromise (BEC) attacks by analyzing text within email body from untrusted senders.  
 6type: "rule"
 7severity: "medium"
 8source: |
 9  type.inbound
10  
11  // ensure the display name contains a space to avoid single named process accounts eg. 'billing, payment'
12  and strings.contains(sender.display_name, " ")
13  and sender.display_name in~ $org_display_names
14  and (
15    any(ml.nlu_classifier(body.current_thread.text).intents,
16        .name == "bec" and .confidence == "high"
17    )
18    or (
19      (
20        any(ml.nlu_classifier(body.current_thread.text).entities,
21            .name == "urgency"
22        )
23        and any(ml.nlu_classifier(body.current_thread.text).entities,
24                .name == "request"
25        )
26      )
27      and not any(ml.nlu_classifier(body.current_thread.text).intents,
28                  .name == "benign" and .confidence == "high"
29      )
30      // there are intents returned
31      and any(ml.nlu_classifier(body.current_thread.text).intents, true)
32      and not strings.istarts_with(subject.subject, "fwd:")
33    )
34  )
35  and (
36    (
37      profile.by_sender().prevalence in ("new", "outlier")
38      and not profile.by_sender().solicited
39    )
40    or (
41      profile.by_sender().any_messages_malicious_or_spam
42      and not profile.by_sender().any_false_positives
43    )
44  )
45
46  // negate org domains unless they fail DMARC authentication
47  and (
48    (
49      sender.email.domain.root_domain in $org_domains
50      and not headers.auth_summary.dmarc.pass
51    )
52    or sender.email.domain.root_domain not in $org_domains
53  )
54  
55  // negate highly trusted sender domains unless they fail DMARC authentication
56  and (
57    (
58      sender.email.domain.root_domain in $high_trust_sender_root_domains
59      and not headers.auth_summary.dmarc.pass
60    )
61    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
62  )
63
64  and not profile.by_sender().any_false_positives  
65
66attack_types:
67  - "BEC/Fraud"
68tactics_and_techniques:
69  - "Impersonation: Employee"
70  - "Social engineering"
71detection_methods:
72  - "Content analysis"
73  - "Header analysis"
74  - "Natural Language Understanding"
75  - "Sender analysis"
76id: "1ce9a146-1293-531e-bb02-0af7ad1b018e"
to-top