Impersonation: Social Security Administration (SSA)

calendar Oct 14, 2025  ·
Share on: linkedin copy

Detects messages impersonating the Social Security Administration (SSA) that contain links, a suspicious indicator, and are sent from non-government domains by unsolicited or suspicious senders.

Sublime rule (View on GitHub)

 1name: "Impersonation: Social Security Administration (SSA)"
 2description: "Detects messages impersonating the Social Security Administration (SSA) that contain links, a suspicious indicator, and are sent from non-government domains by unsolicited or suspicious senders."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  
 8  // Identifies as SSA without catching strings such as "Alyssa"
 9  and (
10    regex.contains(sender.display_name, '^SSA\b')
11    or strings.icontains(sender.display_name, "Social Security Administration")
12    // there are confusables in the display name
13    or (
14      strings.replace_confusables(sender.display_name) != sender.display_name
15      and strings.contains(strings.replace_confusables(sender.display_name), "SSA")
16    )
17    or any([sender.display_name, subject.subject],
18           regex.icontains(strings.replace_confusables(.), 'Social (?:benefits|security)', )
19    )
20  )
21  // Contains a link
22  and length(body.links) >= 1
23  
24  // Not from a .gov domain
25  and not (sender.email.domain.tld == "gov" and headers.auth_summary.dmarc.pass)
26  
27  // Additional suspicious indicator
28  and (
29    any(ml.nlu_classifier(body.current_thread.text).topics,
30        .name == "Secure Message" and .confidence == "high"
31    )
32    or strings.icontains(body.current_thread.text, "SSA Statement Viewer")
33    or strings.icontains(body.current_thread.text, "Social Security Statement")
34    or regex.icontains(body.current_thread.text,
35                       "(?:view|open) (?:your|the).{0,8} (statement|document)"
36    )
37    // real SSA phone number
38    or strings.icontains(body.current_thread.text, "1-800-772-1213")
39    or any(body.links,
40           any(regex.extract(.href_url.path, '\.(?P<ext>[^./?#]+)(?:[?#]|$)'),
41               .named_groups["ext"] in $file_extensions_executables
42           )
43    )
44    or any(ml.logo_detect(file.message_screenshot()).brands,
45           .name == "SSA" and .confidence == "high"
46    )
47  )
48  and not any(ml.nlu_classifier(body.current_thread.text).topics,
49              .name in (
50                "Newsletters and Digests",
51                "Advertising and Promotions",
52                "Events and Webinars"
53              )
54              and .confidence == "high"
55  )
56  // not a forward or reply
57  and (headers.in_reply_to is null or length(headers.references) == 0)
58  and (
59    not profile.by_sender().solicited
60    or (
61      profile.by_sender().any_messages_malicious_or_spam
62      and not profile.by_sender().any_messages_benign
63    )
64  )
65  and not (
66    sender.email.domain.root_domain in $high_trust_sender_root_domains
67    and coalesce(headers.auth_summary.dmarc.pass, false)
68  )  
69
70attack_types:
71  - "BEC/Fraud"
72  - "Credential Phishing"
73tactics_and_techniques:
74  - "Impersonation: Brand"
75  - "Social engineering"
76detection_methods:
77  - "Content analysis"
78  - "Sender analysis"
79  - "URL analysis"
80id: "6196767e-6264-5833-96f3-d1e34424d7b5"
to-top