Brand impersonation: Social Security Administration

calendar Jun 11, 2026  ·
Share on: linkedin copy

Detects messages impersonating the Social Security Administration (SSA) through various indicators including display names, subjects, body content, attachments, and HTML titles. The rule identifies SSA references, confusable characters, statement notifications, and credential theft language while excluding legitimate government communications.

Sublime rule (View on GitHub)

  1name: "Brand impersonation: Social Security Administration"
  2description: "Detects messages impersonating the Social Security Administration (SSA) through various indicators including display names, subjects, body content, attachments, and HTML titles. The rule identifies SSA references, confusable characters, statement notifications, and credential theft language while excluding legitimate government communications."
  3type: "rule"
  4severity: "medium"
  5source: |
  6  type.inbound
  7  // Identifies as SSA without catching strings such as "Alyssa"
  8  and (
  9    regex.contains(sender.display_name, '^SSA\b')
 10    or strings.icontains(sender.display_name, "Social Security Administration")
 11    // there are confusables in the display name
 12    or (
 13      strings.replace_confusables(sender.display_name) != sender.display_name
 14      and strings.contains(strings.replace_confusables(sender.display_name),
 15                           "SSA"
 16      )
 17    )
 18    or any([sender.display_name, subject.subject],
 19           regex.icontains(strings.replace_confusables(.),
 20                           'Social (?:benefits|security|s.a\b)',
 21           )
 22    )
 23    or (
 24      any(attachments,
 25          .file_type in ("doc", "docx")
 26          and any(file.explode(.),
 27                  strings.icontains(.scan.strings.raw,
 28                                    "Social Security Administration"
 29                  )
 30          )
 31      )
 32    )
 33    // display name or subject references a statement
 34    or (
 35      any([sender.display_name, subject.subject],
 36          regex.icontains(strings.replace_confusables(.),
 37                          '(Digital|(e[[:punct:]]?))\s?Statements?.{0,10}(Generated|Created|Issued|Ready)'
 38          )
 39      )
 40      // with SSA impersonation in the body
 41      and strings.icontains(body.current_thread.text,
 42                            'Social Security Administration'
 43      )
 44    )
 45    or any(html.xpath(body.html, '//title').nodes,
 46           (
 47             strings.icontains(.inner_text, 'Social Security')
 48             and (
 49               strings.icontains(.inner_text, 'Statement')
 50               or strings.icontains(.inner_text, 'Notification')
 51               or strings.icontains(.inner_text, 'Document')
 52               or strings.icontains(.inner_text, 'Message')
 53               or strings.icontains(.inner_text, 'Important Update')
 54               or strings.icontains(.inner_text, 'Benefit Amount')
 55               or strings.icontains(.inner_text, 'Account')
 56               or strings.icontains(.inner_text, 'Authorization')
 57             )
 58           )
 59           or .inner_text =~ "Social Security Administration"
 60           or .inner_text =~ "Social Security"
 61    )
 62    or (
 63      any(body.links, strings.contains(.href_url.url, 'ssa.gov'))
 64      and strings.icontains(body.current_thread.text,
 65                            'download monthly statement'
 66      )
 67      and strings.icontains(body.current_thread.text, 'stay connected')
 68    )
 69    or (
 70      any(ml.nlu_classifier(body.current_thread.text).entities,
 71          .name == "sender" and .text == "Social Security Administration"
 72      )
 73      and any(ml.nlu_classifier(body.current_thread.text).intents,
 74              .name == "cred_theft" and .confidence != "low"
 75      )
 76    )
 77  )
 78  
 79  // Not from a .gov domain
 80  and not (sender.email.domain.tld == "gov" and headers.auth_summary.dmarc.pass)
 81  
 82  // Additional suspicious indicator
 83  and (
 84    any(ml.nlu_classifier(body.current_thread.text).topics,
 85        .name in ("Security and Authentication", "Secure Message")
 86        and .confidence == "high"
 87    )
 88    or any(ml.nlu_classifier(body.current_thread.text).entities,
 89           .name == "org" and .text == "SSA"
 90    )
 91    or length(body.current_thread.text) == 0
 92    or body.current_thread.text is null
 93    or strings.icontains(body.current_thread.text, "SSA Statement Viewer")
 94    or strings.icontains(strings.replace_confusables(body.current_thread.text),
 95                         "Social Security Statement"
 96    )
 97    or regex.icontains(body.current_thread.text,
 98                       "(?:view|open) (?:your|the).{0,8} (statement|document)"
 99    )
100    or regex.icontains(body.current_thread.text,
101                       "(?:view|open|assess|evaluate|review|conduct|read|scan)"
102    )
103    // real SSA phone number
104    or strings.icontains(body.current_thread.text, "1-800-772-1213")
105    or any(body.links,
106           any(regex.extract(.href_url.path, '\.(?P<ext>[^./?#]+)(?:[?#]|$)'),
107               .named_groups["ext"] in $file_extensions_executables
108           )
109    )
110    or any(ml.logo_detect(file.message_screenshot()).brands,
111           .name == "SSA" and .confidence == "high"
112    )
113    or (
114      any(attachments,
115          .file_type in ("doc", "docx")
116          and any(file.explode(.),
117                  strings.icontains(.scan.strings.raw, "suspended")
118                  or strings.icontains(.scan.strings.raw, "fraudulent")
119                  or strings.icontains(.scan.strings.raw, "violated")
120                  or strings.icontains(.scan.strings.raw, "false identity")
121                  or regex.icontains(.scan.strings.raw,
122                                     '\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}',
123                                     '\+?([ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4}'
124                  )
125          )
126      )
127    )
128  )
129  and not (
130    any(ml.nlu_classifier(body.current_thread.text).topics,
131        .name in (
132          "Newsletters and Digests",
133          "Advertising and Promotions",
134          "Events and Webinars",
135          "Charity and Non-Profit",
136          "Political Mail"
137        )
138        and .confidence == "high"
139    )
140    or any(ml.nlu_classifier(body.current_thread.text).intents,
141           .name == "benign" and .confidence == "high"
142    )
143  )
144  and not (
145    sender.email.email in ("email@email.monarch.com", "contact@govplus.com")
146    and coalesce(headers.auth_summary.dmarc.pass, false)
147  )
148  
149  // not a forward or reply
150  and (headers.in_reply_to is null or length(headers.references) == 0)
151  and not (
152    sender.email.domain.root_domain in $high_trust_sender_root_domains
153    and coalesce(headers.auth_summary.dmarc.pass, false)
154  )  
155attack_types:
156  - "BEC/Fraud"
157  - "Credential Phishing"
158tactics_and_techniques:
159  - "Impersonation: Brand"
160  - "Social engineering"
161detection_methods:
162  - "Content analysis"
163  - "Sender analysis"
164  - "URL analysis"
165id: "6196767e-6264-5833-96f3-d1e34424d7b5"
to-top