Impersonation: Social Security Administration with secure message language

Detects messages impersonating the Social Security Administration (SSA) that contain links and use legitimate SSA terminology like 'Secure Message' or 'SSA Statement Viewer', but are sent from non-government domains by unsolicited or suspicious senders.

Sublime rule (View on GitHub)

 1name: "Impersonation: Social Security Administration with secure message language"
 2description: "Detects messages impersonating the Social Security Administration (SSA) that contain links and use legitimate SSA terminology like 'Secure Message' or 'SSA Statement Viewer', but are sent from non-government domains by unsolicited or suspicious senders."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    not profile.by_sender().solicited
 9    or (
10      profile.by_sender().any_messages_malicious_or_spam
11      and not profile.by_sender().any_messages_benign
12    )
13  )
14  // Identifies as SSA without catching strings such as "Alyssa"
15  and (
16    regex.contains(sender.display_name, '^SSA\b')
17    or strings.icontains(sender.display_name, "Social Security Administration")
18  )
19  // Contains a link
20  and length(body.links) >= 1
21  
22  // Not from a .gov domain
23  and not sender.email.domain.tld == ".gov"
24  
25  // Secure messsage wording
26  and (
27    strings.icontains(body.current_thread.text, "Secure Message")
28    or strings.contains(body.current_thread.text, "SSA Statement Viewer")
29    // real SSA phone number
30    or strings.icontains(body.current_thread.text, "1-800-772-1213")
31  )  
32
33attack_types:
34  - "BEC/Fraud"
35  - "Credential Phishing"
36tactics_and_techniques:
37  - "Impersonation: Brand"
38  - "Social engineering"
39detection_methods:
40  - "Content analysis"
41  - "Sender analysis"
42  - "URL analysis"
43id: "6196767e-6264-5833-96f3-d1e34424d7b5"
to-top