Impersonation: Human Resources with link or attachment and engaging language
Detects messages impersonating HR that contain at least 1 link or 1 attachment with engaging language in the body from an untrusted sender.
Sublime rule (View on GitHub)
1name: "Impersonation: Human Resources with link or attachment and engaging language"
2description: "Detects messages impersonating HR that contain at least 1 link or 1 attachment with engaging language in the body from an untrusted sender."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and sender.email.domain.domain not in $org_domains
8 and regex.icontains(sender.display_name,
9 '(\bh\W?r\W?\b|human\s?resources|hr depart(ment)?|employee relations)'
10 )
11
12 // negate replies
13 and (
14 length(headers.references) == 0
15 or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
16 )
17 // Negate common marketing mailers
18 and not regex.icontains(sender.display_name,
19 'HR (Events|Expert|Support Center|Studies|Knowledge Cloud|News Library)|HR and People Operations'
20 )
21 and not (
22 any(headers.hops,
23 strings.icontains(.authentication_results.spf_details.designator,
24 "constantcontact.com"
25 )
26 )
27 or any(headers.hops,
28 strings.icontains(.received_spf.designator, "constantcontact.com")
29 )
30 or (
31 (
32 any(headers.hops,
33 .index == 0
34 and any(.authentication_results.dkim_details,
35 .domain == "auth.ccsend.com"
36 )
37 )
38 )
39 and headers.auth_summary.dmarc.pass
40 )
41 or any(headers.references, strings.iends_with(., "ccsend.com"))
42 )
43
44 and (
45 (0 < length(body.links) < 10 or length(attachments) > 0)
46 // mass-mailer infra abuse results in an inflated link count due to mailer templates that include links for unsubbing, changing preferences, etc.
47 // loosening the link count check as a result ensures we fire even with these conditions
48 or (
49 any(body.links,
50 strings.ilike(.display_text,
51 "*unsubscribe*",
52 "update your preferences",
53 "add us to your address book"
54 )
55 )
56 and 0 < length(body.links) < 15
57 )
58 )
59 // Request and Urgency
60 and any(ml.nlu_classifier(body.current_thread.text).entities,
61 .name == "request"
62 )
63 and any(ml.nlu_classifier(body.current_thread.text).entities,
64 .name in ("urgency", "financial")
65 )
66 and (
67 any(ml.nlu_classifier(body.current_thread.text).intents, .name != "benign")
68 or length(ml.nlu_classifier(body.current_thread.text).intents) == 0 // not benign but not malicious either
69 )
70 and (
71 profile.by_sender().prevalence in ("new", "outlier")
72 or (
73 profile.by_sender().any_messages_malicious_or_spam
74 and not profile.by_sender().any_false_positives
75 )
76 )
77 // negate highly trusted sender domains unless they fail DMARC authentication
78 and (
79 (
80 sender.email.domain.root_domain in $high_trust_sender_root_domains
81 and not headers.auth_summary.dmarc.pass
82 )
83 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
84 )
85
86attack_types:
87 - "BEC/Fraud"
88 - "Credential Phishing"
89tactics_and_techniques:
90 - "Impersonation: Employee"
91 - "Social engineering"
92detection_methods:
93 - "Content analysis"
94 - "Header analysis"
95 - "Natural Language Understanding"
96 - "Sender analysis"
97id: "8c95a6a8-50d3-5697-a379-c00bda8e1922"