Impersonation: Executive using numbered local part

calendar Jan 30, 2026  ·
Share on: linkedin copy

Detects messages from free email providers where the sender's email address uses a pattern commonly associated with executive impersonation, containing 'chair' or 'ceo' followed by numbers in the local part.

Sublime rule (View on GitHub)

 1name: "Impersonation: Executive using numbered local part"
 2description: "Detects messages from free email providers where the sender's email address uses a pattern commonly associated with executive impersonation, containing 'chair' or 'ceo' followed by numbers in the local part."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and sender.email.domain.domain in $free_email_providers
 8  and regex.icontains(sender.email.local_part, '^c(?:hair|eo)\d+')  
 9
10attack_types:
11  - "BEC/Fraud"
12tactics_and_techniques:
13  - "Free email provider"
14  - "Impersonation: VIP"
15  - "Social engineering"
16detection_methods:
17  - "Header analysis"
18  - "Sender analysis"
19id: "8e005a22-5946-5614-a77d-89cef4ee754a"
to-top