Impersonation: Social Security Administration (SSA)

calendar Dec 2, 2025  ·
Share on: linkedin copy

Detects messages impersonating the Social Security Administration (SSA) that contain links, a suspicious indicator, and are sent from non-government domains by unsolicited or suspicious senders.

Sublime rule (View on GitHub)

  1name: "Impersonation: Social Security Administration (SSA)"
  2description: "Detects messages impersonating the Social Security Administration (SSA) that contain links, a suspicious indicator, and are sent from non-government domains by unsolicited or suspicious senders."
  3type: "rule"
  4severity: "medium"
  5source: |
  6  type.inbound
  7  and length(attachments) < 2
  8  // Identifies as SSA without catching strings such as "Alyssa"
  9  and (
 10    regex.contains(sender.display_name, '^SSA\b')
 11    or strings.icontains(sender.display_name, "Social Security Administration")
 12    // there are confusables in the display name
 13    or (
 14      strings.replace_confusables(sender.display_name) != sender.display_name
 15      and strings.contains(strings.replace_confusables(sender.display_name),
 16                           "SSA"
 17      )
 18    )
 19    or any([sender.display_name, subject.subject],
 20           regex.icontains(strings.replace_confusables(.),
 21                           'Social (?:benefits|security)',
 22           )
 23    )
 24    or (
 25      any(attachments,
 26          .file_type in ("doc", "docx")
 27          and any(file.explode(.),
 28                  strings.icontains(.scan.strings.raw,
 29                                    "Social Security Administration"
 30                  )
 31          )
 32      )
 33    )
 34    // display name or subject references a statement
 35    or (
 36      any([sender.display_name, subject.subject],
 37          regex.icontains(strings.replace_confusables(.),
 38                          '(Digital|(e[[:punct:]]?))\s?Statements?.{0,10}(Generated|Created|Issued|Ready)'
 39          )
 40      )
 41      // with SSA impersonation in the body
 42      and strings.icontains(body.current_thread.text,
 43                            'Social Security Administration'
 44      )
 45    )
 46    or any(html.xpath(body.html, '//title').nodes,
 47         (
 48           strings.icontains(.inner_text, 'Social Security')
 49           and (
 50             strings.icontains(.inner_text, 'Statement')
 51             or strings.icontains(.inner_text, 'Notification')
 52             or strings.icontains(.inner_text, 'Document')
 53             or strings.icontains(.inner_text, 'Message')
 54             or strings.icontains(.inner_text, 'Important Update')
 55             or strings.icontains(.inner_text, 'Benefit Amount')
 56             or strings.icontains(.inner_text, 'Account')
 57             or strings.icontains(.inner_text, 'Authorization')
 58           )
 59         )
 60         or .inner_text =~ "Social Security Administration"
 61         or .inner_text =~ "Social Security"
 62    )
 63  )
 64  
 65  // Not from a .gov domain
 66  and not (sender.email.domain.tld == "gov" and headers.auth_summary.dmarc.pass)
 67  
 68  // Additional suspicious indicator
 69  and (
 70    any(ml.nlu_classifier(body.current_thread.text).topics,
 71        .name == "Secure Message" and .confidence == "high"
 72    )
 73    or strings.icontains(body.current_thread.text, "SSA Statement Viewer")
 74    or strings.icontains(body.current_thread.text, "Social Security Statement")
 75    or regex.icontains(body.current_thread.text,
 76                       "(?:view|open) (?:your|the).{0,8} (statement|document)"
 77    )
 78    // real SSA phone number
 79    or strings.icontains(body.current_thread.text, "1-800-772-1213")
 80    or any(body.links,
 81           any(regex.extract(.href_url.path, '\.(?P<ext>[^./?#]+)(?:[?#]|$)'),
 82               .named_groups["ext"] in $file_extensions_executables
 83           )
 84    )
 85    or any(ml.logo_detect(file.message_screenshot()).brands,
 86           .name == "SSA" and .confidence == "high"
 87    )
 88    or (
 89      any(attachments,
 90          .file_type in ("doc", "docx")
 91          and any(file.explode(.),
 92                  strings.icontains(.scan.strings.raw, "suspended")
 93                  or strings.icontains(.scan.strings.raw, "fraudulent")
 94                  or strings.icontains(.scan.strings.raw, "violated")
 95                  or strings.icontains(.scan.strings.raw, "false identity")
 96                  or regex.icontains(.scan.strings.raw,
 97                                     '\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}',
 98                                     '\+?([ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4}'
 99                  )
100          )
101      )
102    )
103  )
104  and not any(ml.nlu_classifier(body.current_thread.text).topics,
105              .name in (
106                "Newsletters and Digests",
107                "Advertising and Promotions",
108                "Events and Webinars"
109              )
110              and .confidence == "high"
111  )
112  // not a forward or reply
113  and (headers.in_reply_to is null or length(headers.references) == 0)
114  and (
115    not profile.by_sender().solicited
116    or (
117      profile.by_sender().any_messages_malicious_or_spam
118      and not profile.by_sender().any_messages_benign
119    )
120  )
121  and not (
122    sender.email.domain.root_domain in $high_trust_sender_root_domains
123    and coalesce(headers.auth_summary.dmarc.pass, false)
124  )  
125attack_types:
126  - "BEC/Fraud"
127  - "Credential Phishing"
128tactics_and_techniques:
129  - "Impersonation: Brand"
130  - "Social engineering"
131detection_methods:
132  - "Content analysis"
133  - "Sender analysis"
134  - "URL analysis"
135id: "6196767e-6264-5833-96f3-d1e34424d7b5"
to-top