Impersonation: Human Resources with link or attachment and engaging language
Detects messages impersonating HR that contain at least 1 link or 1 attachment with engaging language in the body from a first-time sender.
Sublime rule (View on GitHub)
1name: "Impersonation: Human Resources with link or attachment and engaging language"
2description: "Detects messages impersonating HR that contain at least 1 link or 1 attachment with engaging language in the body from a first-time sender."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and sender.email.domain.domain not in $org_domains
8 and regex.icontains(sender.display_name,
9 '(\bh\W?r\W?\b|human resources|hr depart(ment)?|employee relations)'
10 )
11 and (length(body.links) > 0 or length(attachments) > 0)
12
13 // Request and Urgency
14 and any(ml.nlu_classifier(body.current_thread.text).entities, .name == "request")
15 and any(ml.nlu_classifier(body.current_thread.text).entities, .name == "urgency")
16 and (
17 any(ml.nlu_classifier(body.current_thread.text).intents, .name != "benign")
18 and not length(ml.nlu_classifier(body.current_thread.text).intents) == 0
19 )
20 and (
21 (
22 sender.email.domain.root_domain in $free_email_providers
23 and sender.email.email not in $sender_emails
24 )
25 or (
26 sender.email.domain.root_domain not in $free_email_providers
27 and sender.email.domain.domain not in $sender_domains
28 )
29 )
30attack_types:
31 - "BEC/Fraud"
32 - "Credential Phishing"
33tactics_and_techniques:
34 - "Impersonation: Employee"
35 - "Social engineering"
36detection_methods:
37 - "Content analysis"
38 - "Header analysis"
39 - "Natural Language Understanding"
40 - "Sender analysis"
41id: "8c95a6a8-50d3-5697-a379-c00bda8e1922"