Impersonation: Human Resources with link or attachment and engaging language

calendar Apr 23, 2024  ยท
Share on: linkedin copy

Detects messages impersonating HR that contain at least 1 link or 1 attachment with engaging language in the body from an untrusted sender.

Sublime rule (View on GitHub)

 1name: "Impersonation: Human Resources with link or attachment and engaging language"
 2description: "Detects messages impersonating HR that contain at least 1 link or 1 attachment with engaging language in the body from an untrusted sender."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and sender.email.domain.domain not in $org_domains
 8  and regex.icontains(sender.display_name,
 9                      '(\bh\W?r\W?\b|human\s?resources|hr depart(ment)?|employee relations)'
10  )
11  
12  // negate replies
13  and (
14    length(headers.references) == 0
15    or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
16  )
17  // Negate common marketing mailers
18  and not regex.icontains(sender.display_name,
19                          'HR (Events|Expert|Support Center|Studies|Knowledge Cloud|News Library)|HR and People Operations'
20  )
21  and not (
22    any(headers.hops,
23        strings.icontains(.authentication_results.spf_details.designator,
24                          "constantcontact.com"
25        )
26    )
27    or any(headers.hops,
28           strings.icontains(.received_spf.designator, "constantcontact.com")
29    )
30    or (
31      (
32        any(headers.hops,
33            .index == 0
34            and any(.authentication_results.dkim_details,
35                    .domain == "auth.ccsend.com"
36            )
37        )
38      )
39      and headers.auth_summary.dmarc.pass
40    )
41    or any(headers.references, strings.iends_with(., "ccsend.com"))
42  )
43  
44  and (
45    (0 < length(body.links) < 10 or length(attachments) > 0)
46    // mass-mailer infra abuse results in an inflated link count due to mailer templates that include links for unsubbing, changing preferences, etc.
47    // loosening the link count check as a result ensures we fire even with these conditions
48    or (
49      any(body.links,
50          strings.ilike(.display_text,
51                        "*unsubscribe*",
52                        "update your preferences",
53                        "add us to your address book"
54          )
55      )
56      and 0 < length(body.links) < 15
57    )
58  )
59  // Request and Urgency
60  and any(ml.nlu_classifier(body.current_thread.text).entities,
61          .name == "request"
62  )
63  and any(ml.nlu_classifier(body.current_thread.text).entities,
64          .name in ("urgency", "financial")
65  )
66  and (
67    any(ml.nlu_classifier(body.current_thread.text).intents, .name != "benign")
68    or length(ml.nlu_classifier(body.current_thread.text).intents) == 0 // not benign but not malicious either
69  )
70  and (
71    profile.by_sender().prevalence in ("new", "outlier")
72    or (
73      profile.by_sender().any_messages_malicious_or_spam
74      and not profile.by_sender().any_false_positives
75    )
76  )
77  // negate highly trusted sender domains unless they fail DMARC authentication
78  and (
79    (
80      sender.email.domain.root_domain in $high_trust_sender_root_domains
81      and not headers.auth_summary.dmarc.pass
82    )
83    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
84  )  
85
86attack_types:
87  - "BEC/Fraud"
88  - "Credential Phishing"
89tactics_and_techniques:
90  - "Impersonation: Employee"
91  - "Social engineering"
92detection_methods:
93  - "Content analysis"
94  - "Header analysis"
95  - "Natural Language Understanding"
96  - "Sender analysis"
97id: "8c95a6a8-50d3-5697-a379-c00bda8e1922"
to-top