Impersonation: Social Security Administration (SSA)
Detects messages impersonating the Social Security Administration (SSA) that contain links, a suspicious indicator, and are sent from non-government domains by unsolicited or suspicious senders.
Sublime rule (View on GitHub)
1name: "Impersonation: Social Security Administration (SSA)"
2description: "Detects messages impersonating the Social Security Administration (SSA) that contain links, a suspicious indicator, and are sent from non-government domains by unsolicited or suspicious senders."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7
8 // Identifies as SSA without catching strings such as "Alyssa"
9 and (
10 regex.contains(sender.display_name, '^SSA\b')
11 or strings.icontains(sender.display_name, "Social Security Administration")
12 or any([sender.display_name, subject.subject],
13 regex.icontains(., 'Social (?:benefits|security)', )
14 )
15 )
16
17 // Contains a link
18 and length(body.links) >= 1
19
20 // Not from a .gov domain
21 and not (sender.email.domain.tld == "gov" and headers.auth_summary.dmarc.pass)
22
23 // Additional suspicious indicator
24 and (
25 any(ml.nlu_classifier(body.current_thread.text).topics,
26 .name == "Secure Message" and .confidence == "high"
27 )
28 or strings.contains(body.current_thread.text, "SSA Statement Viewer")
29 // real SSA phone number
30 or strings.icontains(body.current_thread.text, "1-800-772-1213")
31 or any(body.links,
32 any(regex.extract(.href_url.path, '\.(?P<ext>[^./?#]+)(?:[?#]|$)'),
33 .named_groups["ext"] in $file_extensions_executables
34 )
35 )
36 )
37 and not any(ml.nlu_classifier(body.current_thread.text).topics,
38 .name == "Newsletters and Digests" and .confidence == "high"
39 )
40 // not a forward or reply
41 and (headers.in_reply_to is null or length(headers.references) == 0)
42 and (
43 not profile.by_sender().solicited
44 or (
45 profile.by_sender().any_messages_malicious_or_spam
46 and not profile.by_sender().any_messages_benign
47 )
48 )
49 and not (
50 sender.email.domain.root_domain in $high_trust_sender_root_domains
51 and coalesce(headers.auth_summary.dmarc.pass, false)
52 )
53
54attack_types:
55 - "BEC/Fraud"
56 - "Credential Phishing"
57tactics_and_techniques:
58 - "Impersonation: Brand"
59 - "Social engineering"
60detection_methods:
61 - "Content analysis"
62 - "Sender analysis"
63 - "URL analysis"
64id: "6196767e-6264-5833-96f3-d1e34424d7b5"