Impersonation: Human Resources with link or attachment and engaging language
Detects messages impersonating HR that contain at least 1 link or 1 attachment with engaging language in the body from an untrusted sender.
Sublime rule (View on GitHub)
1name: "Impersonation: Human Resources with link or attachment and engaging language"
2description: "Detects messages impersonating HR that contain at least 1 link or 1 attachment with engaging language in the body from an untrusted sender."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and sender.email.domain.domain not in $org_domains
8 and (
9 regex.icontains(sender.display_name,
10 '(\bh\W?r\W?\b|human\s?resources|hr depart(ment)?|employee relations)'
11 )
12 or (
13 length(filter(ml.nlu_classifier(body.current_thread.text).entities,
14 .name == "sender"
15 )
16 ) == 1
17 and any(ml.nlu_classifier(body.current_thread.text).entities,
18 .name == "sender"
19 and regex.icontains(.text,
20 '(\bh\W?r\W?\b|human\s?resources|hr depart(ment)?|employee relations)'
21 )
22 )
23 )
24 )
25 and not (
26 strings.icontains(sender.display_name, sender.email.domain.domain)
27 and sender.email.domain.tld == "hr"
28 )
29
30 // negate replies
31 and (length(headers.references) == 0 or headers.in_reply_to is null)
32 // Negate common marketing mailers
33 and not (
34 sender.display_name is not null
35 and regex.icontains(sender.display_name,
36 'HR (?:Events|Expert|Support Center|Studies|Knowledge Cloud|News Library|Crowd|Solutions|Interests)|HR and People Operations'
37 )
38 )
39 and not (
40 any(headers.hops,
41 strings.icontains(.authentication_results.spf_details.designator,
42 "constantcontact.com"
43 )
44 )
45 or any(headers.hops,
46 strings.icontains(.received_spf.designator, "constantcontact.com")
47 )
48 or (
49 (
50 any(headers.hops,
51 .index == 0
52 and any(.authentication_results.dkim_details,
53 .domain == "auth.ccsend.com"
54 )
55 )
56 )
57 and headers.auth_summary.dmarc.pass
58 )
59 or any(headers.references, strings.iends_with(., "ccsend.com"))
60 )
61 and (
62 (0 < length(body.links) < 10 or length(attachments) > 0)
63 // mass-mailer infra abuse results in an inflated link count due to mailer templates that include links for unsubbing, changing preferences, etc.
64 // loosening the link count check as a result ensures we fire even with these conditions
65 or (
66 any(body.links,
67 strings.ilike(.display_text,
68 "*unsubscribe*",
69 "update your preferences",
70 "add us to your address book"
71 )
72 )
73 and 0 < length(body.links) < 15
74 )
75 )
76 // Request and Urgency
77 and (
78 (
79 length(body.current_thread.text) > 100
80 and any(ml.nlu_classifier(body.current_thread.text).entities,
81 .name == "request"
82 )
83 and (
84 any(ml.nlu_classifier(body.current_thread.text).entities,
85 .name in ("urgency", "financial")
86 )
87 or (
88 any(beta.ml_topic(body.current_thread.text).topics,
89 .name == "Professional and Career Development"
90 and .confidence == "high"
91 )
92 and any(ml.nlu_classifier(body.current_thread.text).intents,
93 .name != "benign"
94 )
95 )
96 )
97 )
98 or (
99 length(body.current_thread.text) < 400
100 and any(attachments,
101 (.file_type in $file_types_images or .file_type == "pdf")
102 and any(file.explode(.),
103 .scan.qr.type == "url"
104 and .scan.qr.url.domain.root_domain not in $org_domains
105 )
106 )
107 )
108 )
109 // additional suspicious indicator
110 and (
111 any(ml.nlu_classifier(body.current_thread.text).intents, .name != "benign")
112 or length(ml.nlu_classifier(body.current_thread.text).intents) == 0 // not benign but not malicious either
113 // 1-2 all caps body links
114 or 0 < length(filter(body.links,
115 not (
116 strings.ilike(.display_text,
117 "*unsubscribe*",
118 "update your preferences",
119 "add us to your address book"
120 )
121 or .href_url.domain.root_domain == 'aka.ms'
122 )
123 and regex.match(.display_text, '[A-Z ]+')
124 ),
125 ) < 3
126 or any(attachments,
127 (.file_type in $file_types_images or .file_type == "pdf")
128 and any(file.explode(.),
129 any(ml.nlu_classifier(.scan.ocr.raw).intents,
130 .name == "cred_theft" and .confidence == "high"
131 )
132 )
133 )
134 )
135 // topic negation
136 and not any(beta.ml_topic(body.current_thread.text).topics,
137 .name in (
138 "Newsletters and Digests",
139 "Advertising and Promotions",
140 "Educational and Research",
141 )
142 and .confidence == "high"
143 )
144 and (
145 profile.by_sender_email().prevalence in ("new", "outlier")
146 or (
147 profile.by_sender().any_messages_malicious_or_spam
148 and not profile.by_sender().any_messages_benign
149 )
150 or sender.email.email in (
151 "adobesign@adobesign.com",
152 "noreply@salesforce.com",
153 "support@salesforce.com",
154 "no-reply@salesforce.com"
155 ) // abused services
156 )
157 // negate highly trusted sender domains unless they fail DMARC authentication
158 and (
159 (
160 sender.email.domain.root_domain in $high_trust_sender_root_domains
161 and (
162 not headers.auth_summary.dmarc.pass
163 or (
164 headers.auth_summary.dmarc.pass is null
165 and not headers.auth_summary.spf.pass
166 )
167 )
168 )
169 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
170 )
171attack_types:
172 - "BEC/Fraud"
173 - "Credential Phishing"
174tactics_and_techniques:
175 - "Impersonation: Employee"
176 - "Social engineering"
177detection_methods:
178 - "Content analysis"
179 - "Header analysis"
180 - "Natural Language Understanding"
181 - "Sender analysis"
182id: "8c95a6a8-50d3-5697-a379-c00bda8e1922"