Employee impersonation with urgent request (untrusted sender)
Sender is using a display name that matches the display name of someone in your organization.
Detects potential Business Email Compromise (BEC) attacks by analyzing text within email body from untrusted senders.
Sublime rule (View on GitHub)
1name: "Employee impersonation with urgent request (untrusted sender)"
2description: |
3 Sender is using a display name that matches the display name of someone in your organization.
4
5 Detects potential Business Email Compromise (BEC) attacks by analyzing text within email body from untrusted senders.
6type: "rule"
7severity: "medium"
8source: |
9 type.inbound
10
11 // ensure the display name contains a space to avoid single named process accounts eg. 'billing, payment'
12 and strings.contains(sender.display_name, " ")
13 and sender.display_name in~ $org_display_names
14 and (
15 any(ml.nlu_classifier(body.current_thread.text).intents,
16 .name == "bec" and .confidence == "high"
17 )
18 or (
19 (
20 any(ml.nlu_classifier(body.current_thread.text).entities,
21 .name == "urgency"
22 )
23 and any(ml.nlu_classifier(body.current_thread.text).entities,
24 .name == "request"
25 )
26 )
27 and not any(ml.nlu_classifier(body.current_thread.text).intents,
28 .name == "benign" and .confidence == "high"
29 )
30 // there are intents returned
31 and any(ml.nlu_classifier(body.current_thread.text).intents, true)
32 and not strings.istarts_with(subject.subject, "fwd:")
33 )
34 )
35 and (
36 (
37 profile.by_sender().prevalence in ("new", "outlier")
38 and not profile.by_sender().solicited
39 )
40 or (
41 profile.by_sender().any_messages_malicious_or_spam
42 and not profile.by_sender().any_false_positives
43 )
44 )
45
46 // negate org domains unless they fail DMARC authentication
47 and (
48 (
49 sender.email.domain.root_domain in $org_domains
50 and not headers.auth_summary.dmarc.pass
51 )
52 or sender.email.domain.root_domain not in $org_domains
53 )
54
55 // negate highly trusted sender domains unless they fail DMARC authentication
56 and (
57 (
58 sender.email.domain.root_domain in $high_trust_sender_root_domains
59 and not headers.auth_summary.dmarc.pass
60 )
61 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
62 )
63
64 and not profile.by_sender().any_false_positives
65
66attack_types:
67 - "BEC/Fraud"
68tactics_and_techniques:
69 - "Impersonation: Employee"
70 - "Social engineering"
71detection_methods:
72 - "Content analysis"
73 - "Header analysis"
74 - "Natural Language Understanding"
75 - "Sender analysis"
76id: "1ce9a146-1293-531e-bb02-0af7ad1b018e"