Employee impersonation with urgent request (first-time sender)

calendar Nov 29, 2023  ·
Share on: linkedin copy

Sender is using a display name that matches the display name of someone in your organization.

Detects potential Business Email Compromise (BEC) attacks by analyzing text within email body first-time senders.

Sublime rule (View on GitHub)

 1name: "Employee impersonation with urgent request (first-time sender)"
 2description: |
 3  Sender is using a display name that matches the display name of someone in your organization.
 4
 5  Detects potential Business Email Compromise (BEC) attacks by analyzing text within email body first-time senders.  
 6type: "rule"
 7severity: "medium"
 8source: |
 9  type.inbound
10  and sender.display_name in~ $org_display_names
11  and (
12    any(ml.nlu_classifier(body.current_thread.text).intents,
13        .name == "bec" and .confidence == "high"
14    )
15    or (
16      (
17        any(ml.nlu_classifier(body.current_thread.text).entities,
18            .name == "urgency"
19        )
20        and any(ml.nlu_classifier(body.current_thread.text).entities,
21                .name == "request"
22        )
23      )
24      and not any(ml.nlu_classifier(body.current_thread.text).intents,
25                  .name == "benign" and .confidence == "high"
26      )
27      // there are intents returned
28      and any(ml.nlu_classifier(body.current_thread.text).intents, true)
29      and not strings.istarts_with(subject.subject, "fwd:")
30    )
31  )
32  and (
33    (
34      profile.by_sender().prevalence in ("new", "outlier")
35      and not profile.by_sender().solicited
36    )
37    or (
38      profile.by_sender().any_messages_malicious_or_spam
39      and not profile.by_sender().any_false_positives
40    )
41  )
42  
43  // negate highly trusted sender domains unless they fail DMARC authentication
44  and (
45    (
46      sender.email.domain.root_domain in $high_trust_sender_root_domains
47      and (
48        any(distinct(headers.hops, .authentication_results.dmarc is not null),
49            strings.ilike(.authentication_results.dmarc, "*fail")
50        )
51      )
52    )
53    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
54  )
55
56  and not profile.by_sender().any_false_positives  
57
58attack_types:
59  - "BEC/Fraud"
60tactics_and_techniques:
61  - "Impersonation: Employee"
62  - "Social engineering"
63detection_methods:
64  - "Content analysis"
65  - "Header analysis"
66  - "Natural Language Understanding"
67  - "Sender analysis"
68id: "1ce9a146-1293-531e-bb02-0af7ad1b018e"
to-top