Impersonation: Human Resources with link or attachment and engaging language

Detects messages impersonating HR that contain at least 1 link or 1 attachment with engaging language in the body from an untrusted sender.

Sublime rule (View on GitHub)

  1name: "Impersonation: Human Resources with link or attachment and engaging language"
  2description: "Detects messages impersonating HR that contain at least 1 link or 1 attachment with engaging language in the body from an untrusted sender."
  3type: "rule"
  4severity: "medium"
  5source: |
  6  type.inbound
  7  and sender.email.domain.domain not in $org_domains
  8  and (
  9    regex.icontains(sender.display_name,
 10                    '(\bh\W?r\W?\b|human\s?resources|hr depart(ment)?|employee relations)'
 11    )
 12    or (
 13      length(filter(ml.nlu_classifier(body.current_thread.text).entities,
 14                    .name == "sender"
 15             )
 16      ) == 1
 17      and any(ml.nlu_classifier(body.current_thread.text).entities,
 18              .name == "sender"
 19              and regex.icontains(.text,
 20                                  '(\bh\W?r\W?\b|human\s?resources|hr depart(ment)?|employee relations)'
 21              )
 22      )
 23    )
 24  )
 25  and not (
 26    strings.icontains(sender.display_name, sender.email.domain.domain)
 27    and sender.email.domain.tld == "hr"
 28  )
 29  
 30  // negate replies
 31  and (
 32    length(headers.references) == 0
 33    or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
 34  )
 35  // Negate common marketing mailers
 36  and not (
 37    sender.display_name is not null
 38    and regex.icontains(sender.display_name,
 39                        'HR (?:Events|Expert|Support Center|Studies|Knowledge Cloud|News Library|Crowd|Solutions|Interests)|HR and People Operations'
 40    )
 41  )
 42  and not (
 43    any(headers.hops,
 44        strings.icontains(.authentication_results.spf_details.designator,
 45                          "constantcontact.com"
 46        )
 47    )
 48    or any(headers.hops,
 49           strings.icontains(.received_spf.designator, "constantcontact.com")
 50    )
 51    or (
 52      (
 53        any(headers.hops,
 54            .index == 0
 55            and any(.authentication_results.dkim_details,
 56                    .domain == "auth.ccsend.com"
 57            )
 58        )
 59      )
 60      and headers.auth_summary.dmarc.pass
 61    )
 62    or any(headers.references, strings.iends_with(., "ccsend.com"))
 63  )
 64  and (
 65    (0 < length(body.links) < 10 or length(attachments) > 0)
 66    // mass-mailer infra abuse results in an inflated link count due to mailer templates that include links for unsubbing, changing preferences, etc.
 67    // loosening the link count check as a result ensures we fire even with these conditions
 68    or (
 69      any(body.links,
 70          strings.ilike(.display_text,
 71                        "*unsubscribe*",
 72                        "update your preferences",
 73                        "add us to your address book"
 74          )
 75      )
 76      and 0 < length(body.links) < 15
 77    )
 78  )
 79  // Request and Urgency
 80  and (
 81    (
 82      length(body.current_thread.text) > 100
 83      and any(ml.nlu_classifier(body.current_thread.text).entities,
 84              .name == "request"
 85      )
 86      and (
 87        any(ml.nlu_classifier(body.current_thread.text).entities,
 88            .name in ("urgency", "financial")
 89        )
 90        or (
 91          any(beta.ml_topic(body.current_thread.text).topics,
 92              .name == "Professional and Career Development"
 93              and .confidence == "high"
 94          )
 95          and any(ml.nlu_classifier(body.current_thread.text).intents,
 96                  .name != "benign"
 97          )
 98        )
 99      )
100    )
101    or (
102      length(body.current_thread.text) < 400
103      and any(attachments,
104              (.file_type in $file_types_images or .file_type == "pdf")
105              and any(file.explode(.),
106                      .scan.qr.type == "url"
107                      and .scan.qr.url.domain.root_domain not in $org_domains
108              )
109      )
110    )
111  )
112  // additional suspicious indicator
113  and (
114    any(ml.nlu_classifier(body.current_thread.text).intents, .name != "benign")
115    or length(ml.nlu_classifier(body.current_thread.text).intents) == 0 // not benign but not malicious either
116    // 1-2 all caps body links
117    or 0 < length(filter(body.links,
118                         not (
119                           strings.ilike(.display_text,
120                                         "*unsubscribe*",
121                                         "update your preferences",
122                                         "add us to your address book"
123                           )
124                           or .href_url.domain.root_domain == 'aka.ms'
125                         )
126                         and regex.match(.display_text, '[A-Z ]+')
127                  ),
128    ) < 3
129    or any(attachments,
130           (.file_type in $file_types_images or .file_type == "pdf")
131           and any(file.explode(.),
132                   any(ml.nlu_classifier(.scan.ocr.raw).intents,
133                       .name == "cred_theft" and .confidence == "high"
134                   )
135           )
136    )
137  )
138  // topic negation
139  and not any(beta.ml_topic(body.current_thread.text).topics,
140              .name in (
141                "Newsletters and Digests",
142                "Advertising and Promotions",
143                "Educational and Research",
144              )
145              and .confidence == "high"
146  )
147  and (
148    profile.by_sender_email().prevalence in ("new", "outlier")
149    or (
150      profile.by_sender().any_messages_malicious_or_spam
151      and not profile.by_sender().any_false_positives
152    )
153    or sender.email.email in (
154      "adobesign@adobesign.com",
155      "noreply@salesforce.com",
156      "support@salesforce.com",
157      "no-reply@salesforce.com"
158    ) // abused services
159  )
160  // negate highly trusted sender domains unless they fail DMARC authentication
161  and (
162    (
163      sender.email.domain.root_domain in $high_trust_sender_root_domains
164      and (
165        not headers.auth_summary.dmarc.pass
166        or (
167          headers.auth_summary.dmarc.pass is null
168          and not headers.auth_summary.spf.pass
169        )
170      )
171    )
172    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
173  )  
174attack_types:
175  - "BEC/Fraud"
176  - "Credential Phishing"
177tactics_and_techniques:
178  - "Impersonation: Employee"
179  - "Social engineering"
180detection_methods:
181  - "Content analysis"
182  - "Header analysis"
183  - "Natural Language Understanding"
184  - "Sender analysis"
185id: "8c95a6a8-50d3-5697-a379-c00bda8e1922"
to-top