Impersonation: Human Resources with link or attachment and engaging language
Detects messages impersonating HR that contain at least 1 link or 1 attachment with engaging language in the body from an untrusted sender.
Sublime rule (View on GitHub)
1name: "Impersonation: Human Resources with link or attachment and engaging language"
2description: "Detects messages impersonating HR that contain at least 1 link or 1 attachment with engaging language in the body from an untrusted sender."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and sender.email.domain.domain not in $org_domains
8 and (
9 regex.icontains(sender.display_name,
10 '(\bh\W?r\W?\b|human\s?resources|hr depart(ment)?|employee relations)'
11 )
12 or (
13 length(filter(ml.nlu_classifier(body.current_thread.text).entities,
14 .name == "sender"
15 )
16 ) == 1
17 and any(ml.nlu_classifier(body.current_thread.text).entities,
18 .name == "sender"
19 and regex.icontains(.text,
20 '(\bh\W?r\W?\b|human\s?resources|hr depart(ment)?|employee relations)'
21 )
22 )
23 )
24 )
25 and not (
26 strings.icontains(sender.display_name, sender.email.domain.domain)
27 and sender.email.domain.tld == "hr"
28 )
29
30 // negate replies
31 and (
32 length(headers.references) == 0
33 or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
34 )
35 // Negate common marketing mailers
36 and not (
37 sender.display_name is not null
38 and regex.icontains(sender.display_name,
39 'HR (?:Events|Expert|Support Center|Studies|Knowledge Cloud|News Library|Crowd|Solutions|Interests)|HR and People Operations'
40 )
41 )
42 and not (
43 any(headers.hops,
44 strings.icontains(.authentication_results.spf_details.designator,
45 "constantcontact.com"
46 )
47 )
48 or any(headers.hops,
49 strings.icontains(.received_spf.designator, "constantcontact.com")
50 )
51 or (
52 (
53 any(headers.hops,
54 .index == 0
55 and any(.authentication_results.dkim_details,
56 .domain == "auth.ccsend.com"
57 )
58 )
59 )
60 and headers.auth_summary.dmarc.pass
61 )
62 or any(headers.references, strings.iends_with(., "ccsend.com"))
63 )
64 and (
65 (0 < length(body.links) < 10 or length(attachments) > 0)
66 // mass-mailer infra abuse results in an inflated link count due to mailer templates that include links for unsubbing, changing preferences, etc.
67 // loosening the link count check as a result ensures we fire even with these conditions
68 or (
69 any(body.links,
70 strings.ilike(.display_text,
71 "*unsubscribe*",
72 "update your preferences",
73 "add us to your address book"
74 )
75 )
76 and 0 < length(body.links) < 15
77 )
78 )
79 // Request and Urgency
80 and (
81 (
82 length(body.current_thread.text) > 100
83 and any(ml.nlu_classifier(body.current_thread.text).entities,
84 .name == "request"
85 )
86 and (
87 any(ml.nlu_classifier(body.current_thread.text).entities,
88 .name in ("urgency", "financial")
89 )
90 or (
91 any(beta.ml_topic(body.current_thread.text).topics,
92 .name == "Professional and Career Development"
93 and .confidence == "high"
94 )
95 and any(ml.nlu_classifier(body.current_thread.text).intents,
96 .name != "benign"
97 )
98 )
99 )
100 )
101 or (
102 length(body.current_thread.text) < 400
103 and any(attachments,
104 (.file_type in $file_types_images or .file_type == "pdf")
105 and any(file.explode(.),
106 .scan.qr.type == "url"
107 and .scan.qr.url.domain.root_domain not in $org_domains
108 )
109 )
110 )
111 )
112 // additional suspicious indicator
113 and (
114 any(ml.nlu_classifier(body.current_thread.text).intents, .name != "benign")
115 or length(ml.nlu_classifier(body.current_thread.text).intents) == 0 // not benign but not malicious either
116 // 1-2 all caps body links
117 or 0 < length(filter(body.links,
118 not (
119 strings.ilike(.display_text,
120 "*unsubscribe*",
121 "update your preferences",
122 "add us to your address book"
123 )
124 or .href_url.domain.root_domain == 'aka.ms'
125 )
126 and regex.match(.display_text, '[A-Z ]+')
127 ),
128 ) < 3
129 or any(attachments,
130 (.file_type in $file_types_images or .file_type == "pdf")
131 and any(file.explode(.),
132 any(ml.nlu_classifier(.scan.ocr.raw).intents,
133 .name == "cred_theft" and .confidence == "high"
134 )
135 )
136 )
137 )
138 // topic negation
139 and not any(beta.ml_topic(body.current_thread.text).topics,
140 .name in (
141 "Newsletters and Digests",
142 "Advertising and Promotions",
143 "Educational and Research",
144 )
145 and .confidence == "high"
146 )
147 and (
148 profile.by_sender_email().prevalence in ("new", "outlier")
149 or (
150 profile.by_sender().any_messages_malicious_or_spam
151 and not profile.by_sender().any_false_positives
152 )
153 or sender.email.email in (
154 "adobesign@adobesign.com",
155 "noreply@salesforce.com",
156 "support@salesforce.com",
157 "no-reply@salesforce.com"
158 ) // abused services
159 )
160 // negate highly trusted sender domains unless they fail DMARC authentication
161 and (
162 (
163 sender.email.domain.root_domain in $high_trust_sender_root_domains
164 and (
165 not headers.auth_summary.dmarc.pass
166 or (
167 headers.auth_summary.dmarc.pass is null
168 and not headers.auth_summary.spf.pass
169 )
170 )
171 )
172 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
173 )
174attack_types:
175 - "BEC/Fraud"
176 - "Credential Phishing"
177tactics_and_techniques:
178 - "Impersonation: Employee"
179 - "Social engineering"
180detection_methods:
181 - "Content analysis"
182 - "Header analysis"
183 - "Natural Language Understanding"
184 - "Sender analysis"
185id: "8c95a6a8-50d3-5697-a379-c00bda8e1922"