VIP Impersonation via Google Group relay with suspicious indicators

Public Google Groups can be used to impersonate internal senders, while the reply to address is not under organizational control, leading to fraud, credential phishing, or other unwanted outcomes.

Sublime rule (View on GitHub)

 1name: "VIP Impersonation via Google Group relay with suspicious indicators"
 2description: "Public Google Groups can be used to impersonate internal senders, while the reply to address is not under organizational control, leading to fraud, credential phishing, or other unwanted outcomes."
 3type: "rule"
 4severity: "high"
 5source: |
 6  (type.inbound or type.internal)
 7  and sender.email.domain.root_domain in $org_domains
 8  
 9  // subject, sender or reply to contains a VIP
10  and (
11    any(headers.reply_to,
12        any($org_vips, strings.contains(.display_name, ..display_name))
13    )
14    or any($org_vips, strings.contains(subject.subject, .display_name))
15    or any($org_vips, strings.contains(sender.display_name, .display_name))
16  )
17  and any(headers.hops,
18          any(.fields,
19              regex.icontains(.name,
20                              "X-Authenticated-Sender|X-Sender|X-Original-Sender"
21              )
22          )
23  )
24  
25  // reply to return path mismatch and not org domain
26  and any(headers.reply_to,
27          .email.domain.root_domain != headers.return_path.domain.root_domain
28          and .email.domain.root_domain not in $org_domains
29  )
30  
31  // googlegroups found in hops
32  and any(headers.hops,
33          .index == 0 and any(.fields, strings.icontains(.value, "googlegroups"))
34  )
35  
36  // financial nlu entity in current thread
37  and 3 of (
38    any(ml.nlu_classifier(body.current_thread.text).entities,
39        .name == "financial"
40    ),
41  
42    // invoice entity in display_text
43    any(ml.nlu_classifier(body.html.display_text).tags, .name == "invoice"),
44  
45    // fake thread
46    (
47      regex.imatch(subject.subject, "(re|fw(d)?):.*")
48      and (
49        (length(headers.references) == 0 and headers.in_reply_to is null)
50        or not any(headers.hops,
51                   any(.fields, strings.ilike(.name, "In-Reply-To"))
52        )
53      )
54    ),
55  
56    // reply-to is freemail 
57    any(headers.reply_to, .email.domain.domain in $free_email_providers),
58  
59    // reply-to is not in $recipient_emails
60    any(headers.reply_to, .email.email not in $recipient_emails),
61  
62    // dmarc authentication is freemail provider
63    any(distinct(headers.hops, .authentication_results.dmarc is not null),
64        .authentication_results.dmarc_details.from.domain in $free_email_providers
65    )
66  )  
67attack_types:
68  - "BEC/Fraud"
69  - "Credential Phishing"
70  - "Malware/Ransomware"
71tactics_and_techniques:
72  - "Evasion"
73  - "Free email provider"
74  - "Impersonation: Employee"
75  - "Social engineering"
76  - "Spoofing"
77detection_methods:
78  - "Content analysis"
79  - "Header analysis"
80  - "Natural Language Understanding"
81  - "Sender analysis"
82id: "57f9cd3b-ddac-5ef5-96dd-374dbd03f5cd"
to-top