Impersonation: Human Resources with link or attachment and engaging language

 1name: "Impersonation: Human Resources with link or attachment and engaging language"
 2description: "Detects messages impersonating HR that contain at least 1 link or 1 attachment with engaging language in the body from a first-time sender."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and sender.email.domain.domain not in $org_domains
 8  and regex.icontains(sender.display_name,
 9                      '(\bh\W?r\W?\b|human resources|hr depart(ment)?|employee relations)'
10  )
11  and (length(body.links) > 0 or length(attachments) > 0)
12  
13  // Request and Urgency 
14  and any(ml.nlu_classifier(body.current_thread.text).entities, .name == "request")
15  and any(ml.nlu_classifier(body.current_thread.text).entities, .name == "urgency")
16  and (
17    any(ml.nlu_classifier(body.current_thread.text).intents, .name != "benign")
18    and not length(ml.nlu_classifier(body.current_thread.text).intents) == 0
19  )
20  and (
21    (
22      sender.email.domain.root_domain in $free_email_providers
23      and sender.email.email not in $sender_emails
24    )
25    or (
26      sender.email.domain.root_domain not in $free_email_providers
27      and sender.email.domain.domain not in $sender_domains
28    )
29  )  
30attack_types:
31  - "BEC/Fraud"
32  - "Credential Phishing"
33tactics_and_techniques:
34  - "Impersonation: Employee"
35  - "Social engineering"
36detection_methods:
37  - "Content analysis"
38  - "Header analysis"
39  - "Natural Language Understanding"
40  - "Sender analysis"
41id: "8c95a6a8-50d3-5697-a379-c00bda8e1922"