Impersonation: Social Security Administration with secure message language
Detects messages impersonating the Social Security Administration (SSA) that contain links and use legitimate SSA terminology like 'Secure Message' or 'SSA Statement Viewer', but are sent from non-government domains by unsolicited or suspicious senders.
Sublime rule (View on GitHub)
1name: "Impersonation: Social Security Administration with secure message language"
2description: "Detects messages impersonating the Social Security Administration (SSA) that contain links and use legitimate SSA terminology like 'Secure Message' or 'SSA Statement Viewer', but are sent from non-government domains by unsolicited or suspicious senders."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and (
8 not profile.by_sender().solicited
9 or (
10 profile.by_sender().any_messages_malicious_or_spam
11 and not profile.by_sender().any_messages_benign
12 )
13 )
14 // Identifies as SSA without catching strings such as "Alyssa"
15 and (
16 regex.contains(sender.display_name, '^SSA\b')
17 or strings.icontains(sender.display_name, "Social Security Administration")
18 )
19 // Contains a link
20 and length(body.links) >= 1
21
22 // Not from a .gov domain
23 and not sender.email.domain.tld == ".gov"
24
25 // Secure messsage wording
26 and (
27 strings.icontains(body.current_thread.text, "Secure Message")
28 or strings.contains(body.current_thread.text, "SSA Statement Viewer")
29 // real SSA phone number
30 or strings.icontains(body.current_thread.text, "1-800-772-1213")
31 )
32
33attack_types:
34 - "BEC/Fraud"
35 - "Credential Phishing"
36tactics_and_techniques:
37 - "Impersonation: Brand"
38 - "Social engineering"
39detection_methods:
40 - "Content analysis"
41 - "Sender analysis"
42 - "URL analysis"
43id: "6196767e-6264-5833-96f3-d1e34424d7b5"