Impersonation: Human Resources with link or attachment and engaging language

Detects messages impersonating HR that contain at least 1 link or 1 attachment with engaging language in the body from an untrusted sender.

Sublime rule (View on GitHub)

  1name: "Impersonation: Human Resources with link or attachment and engaging language"
  2description: "Detects messages impersonating HR that contain at least 1 link or 1 attachment with engaging language in the body from an untrusted sender."
  3type: "rule"
  4severity: "medium"
  5source: |
  6  type.inbound
  7  and sender.email.domain.domain not in $org_domains
  8  and regex.icontains(sender.display_name,
  9                      '(\bh\W?r\W?\b|human\s?resources|hr depart(ment)?|employee relations)'
 10  )
 11  
 12  and not (
 13    strings.icontains(sender.display_name, sender.email.domain.domain)
 14    and sender.email.domain.tld == "hr"
 15  )
 16  
 17  // negate replies
 18  and (
 19    length(headers.references) == 0
 20    or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
 21  )
 22  // Negate common marketing mailers
 23  and not regex.icontains(sender.display_name,
 24                          'HR (?:Events|Expert|Support Center|Studies|Knowledge Cloud|News Library|Crowd|Solutions|Interests)|HR and People Operations'
 25  )
 26  and not (
 27    any(headers.hops,
 28        strings.icontains(.authentication_results.spf_details.designator,
 29                          "constantcontact.com"
 30        )
 31    )
 32    or any(headers.hops,
 33           strings.icontains(.received_spf.designator, "constantcontact.com")
 34    )
 35    or (
 36      (
 37        any(headers.hops,
 38            .index == 0
 39            and any(.authentication_results.dkim_details,
 40                    .domain == "auth.ccsend.com"
 41            )
 42        )
 43      )
 44      and headers.auth_summary.dmarc.pass
 45    )
 46    or any(headers.references, strings.iends_with(., "ccsend.com"))
 47  )
 48  
 49  and (
 50    (0 < length(body.links) < 10 or length(attachments) > 0)
 51    // mass-mailer infra abuse results in an inflated link count due to mailer templates that include links for unsubbing, changing preferences, etc.
 52    // loosening the link count check as a result ensures we fire even with these conditions
 53    or (
 54      any(body.links,
 55          strings.ilike(.display_text,
 56                        "*unsubscribe*",
 57                        "update your preferences",
 58                        "add us to your address book"
 59          )
 60      )
 61      and 0 < length(body.links) < 15
 62    )
 63  )
 64  // Request and Urgency
 65  and any(ml.nlu_classifier(body.current_thread.text).entities,
 66          .name == "request"
 67  )
 68  and any(ml.nlu_classifier(body.current_thread.text).entities,
 69          .name in ("urgency", "financial")
 70  )
 71  and (
 72    any(ml.nlu_classifier(body.current_thread.text).intents, .name != "benign")
 73    or length(ml.nlu_classifier(body.current_thread.text).intents) == 0 // not benign but not malicious either
 74  )
 75  and (
 76    profile.by_sender().prevalence in ("new", "outlier")
 77    or (
 78      profile.by_sender().any_messages_malicious_or_spam
 79      and not profile.by_sender().any_false_positives
 80    )
 81  )
 82  // negate highly trusted sender domains unless they fail DMARC authentication
 83  and (
 84    (
 85      sender.email.domain.root_domain in $high_trust_sender_root_domains
 86      and not headers.auth_summary.dmarc.pass
 87    )
 88    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
 89  )  
 90
 91attack_types:
 92  - "BEC/Fraud"
 93  - "Credential Phishing"
 94tactics_and_techniques:
 95  - "Impersonation: Employee"
 96  - "Social engineering"
 97detection_methods:
 98  - "Content analysis"
 99  - "Header analysis"
100  - "Natural Language Understanding"
101  - "Sender analysis"
102id: "8c95a6a8-50d3-5697-a379-c00bda8e1922"
to-top