Impersonation: Human Resources with link or attachment and engaging language

Detects messages impersonating HR that contain at least 1 link or 1 attachment with engaging language in the body from an untrusted sender.

Sublime rule (View on GitHub)

  1name: "Impersonation: Human Resources with link or attachment and engaging language"
  2description: "Detects messages impersonating HR that contain at least 1 link or 1 attachment with engaging language in the body from an untrusted sender."
  3type: "rule"
  4severity: "medium"
  5source: |
  6  type.inbound
  7  and sender.email.domain.domain not in $org_domains
  8  and regex.icontains(sender.display_name,
  9                      '(\bh\W?r\W?\b|human\s?resources|hr depart(ment)?|employee relations)'
 10  )
 11  
 12  // negate replies
 13  and (
 14    length(headers.references) == 0
 15    or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
 16  )
 17  // Negate common marketing mailers
 18  and not regex.icontains(sender.display_name,
 19                          'HR (Events|Expert|Support Center|Studies|Knowledge Cloud|News Library)|HR and People Operations'
 20  )
 21  and not (
 22    any(headers.hops,
 23        strings.icontains(.authentication_results.spf_details.designator,
 24                          "constantcontact.com"
 25        )
 26    )
 27    or any(headers.hops,
 28           strings.icontains(.received_spf.designator, "constantcontact.com")
 29    )
 30    or (
 31      (
 32        any(headers.hops,
 33            .index == 0
 34            and any(.authentication_results.dkim_details,
 35                    .domain == "auth.ccsend.com"
 36            )
 37        )
 38      )
 39      and any(distinct(headers.hops, .authentication_results.dmarc is not null),
 40              .index == 0
 41              and strings.ilike(.authentication_results.dmarc, "*pass")
 42      )
 43    )
 44    or any(headers.references, strings.iends_with(., "ccsend.com"))
 45  )
 46  
 47  and (
 48    (0 < length(body.links) < 10 or length(attachments) > 0)
 49    // mass-mailer infra abuse results in an inflated link count due to mailer templates that include links for unsubbing, changing preferences, etc.
 50    // loosening the link count check as a result ensures we fire even with these conditions
 51    or (
 52      any(body.links,
 53          strings.ilike(.display_text,
 54                        "*unsubscribe*",
 55                        "update your preferences",
 56                        "add us to your address book"
 57          )
 58      )
 59      and 0 < length(body.links) < 15
 60    )
 61  )
 62  // Request and Urgency
 63  and any(ml.nlu_classifier(body.current_thread.text).entities,
 64          .name == "request"
 65  )
 66  and any(ml.nlu_classifier(body.current_thread.text).entities,
 67          .name in ("urgency", "financial")
 68  )
 69  and (
 70    any(ml.nlu_classifier(body.current_thread.text).intents, .name != "benign")
 71    or length(ml.nlu_classifier(body.current_thread.text).intents) == 0 // not benign but not malicious either
 72  )
 73  and (
 74    profile.by_sender().prevalence in ("new", "outlier")
 75    or (
 76      profile.by_sender().any_messages_malicious_or_spam
 77      and not profile.by_sender().any_false_positives
 78    )
 79  )
 80  // negate highly trusted sender domains unless they fail DMARC authentication
 81  and (
 82    (
 83      sender.email.domain.root_domain in $high_trust_sender_root_domains
 84      and (
 85        any(distinct(headers.hops, .authentication_results.dmarc is not null),
 86            strings.ilike(.authentication_results.dmarc, "*fail")
 87        )
 88      )
 89    )
 90    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
 91  )  
 92
 93attack_types:
 94  - "BEC/Fraud"
 95  - "Credential Phishing"
 96tactics_and_techniques:
 97  - "Impersonation: Employee"
 98  - "Social engineering"
 99detection_methods:
100  - "Content analysis"
101  - "Header analysis"
102  - "Natural Language Understanding"
103  - "Sender analysis"
104id: "8c95a6a8-50d3-5697-a379-c00bda8e1922"
to-top