Employee impersonation with urgent request (untrusted sender)

calendar Jul 17, 2024  ·
Share on: linkedin copy

Sender is using a display name that matches the display name of someone in your organization.

Detects potential Business Email Compromise (BEC) attacks by analyzing text within email body from untrusted senders.

Sublime rule (View on GitHub)

 1name: "Employee impersonation with urgent request (untrusted sender)"
 2description: |
 3  Sender is using a display name that matches the display name of someone in your organization.
 4
 5  Detects potential Business Email Compromise (BEC) attacks by analyzing text within email body from untrusted senders.  
 6type: "rule"
 7severity: "medium"
 8source: |
 9  type.inbound
10  
11  // ensure the display name contains a space to avoid single named process accounts eg. 'billing, payment'
12  and strings.contains(sender.display_name, " ")
13  and sender.display_name in~ $org_display_names
14  and (
15    any(ml.nlu_classifier(body.current_thread.text).intents,
16        .name == "bec" and .confidence == "high"
17    )
18    or (
19      (
20        any(ml.nlu_classifier(body.current_thread.text).entities,
21            .name == "urgency"
22        )
23        and any(ml.nlu_classifier(body.current_thread.text).entities,
24                .name == "request"
25        )
26      )
27      and not any(ml.nlu_classifier(body.current_thread.text).intents,
28                  .name == "benign" and .confidence == "high"
29      )
30      and (
31        (
32          // there are intents returned
33          any(ml.nlu_classifier(body.current_thread.text).intents, true)
34          // short body that also contains an org display name
35          or (
36            length(body.current_thread.text) > 200
37            and any(ml.nlu_classifier(body.current_thread.text).entities,
38                    .name == "sender" and .text in~ $org_display_names
39            )
40          )
41        )
42        and not strings.istarts_with(subject.subject, "fwd:")
43      )
44    )
45  )
46  and (
47    (
48      profile.by_sender().prevalence in ("new", "outlier")
49      and not profile.by_sender().solicited
50    )
51    or (
52      profile.by_sender().any_messages_malicious_or_spam
53      and not profile.by_sender().any_false_positives
54    )
55  )
56
57  // negate org domains unless they fail DMARC authentication
58  and (
59    (
60      sender.email.domain.root_domain in $org_domains
61      and not headers.auth_summary.dmarc.pass
62    )
63    or sender.email.domain.root_domain not in $org_domains
64  )
65  
66  // negate highly trusted sender domains unless they fail DMARC authentication
67  and (
68    (
69      sender.email.domain.root_domain in $high_trust_sender_root_domains
70      and not headers.auth_summary.dmarc.pass
71    )
72    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
73  )
74
75  and not profile.by_sender().any_false_positives  
76
77attack_types:
78  - "BEC/Fraud"
79tactics_and_techniques:
80  - "Impersonation: Employee"
81  - "Social engineering"
82detection_methods:
83  - "Content analysis"
84  - "Header analysis"
85  - "Natural Language Understanding"
86  - "Sender analysis"
87id: "1ce9a146-1293-531e-bb02-0af7ad1b018e"
to-top