Impersonation: Social Security Administration with secure message language

calendar Aug 26, 2025  ·
Share on: linkedin copy

Detects messages impersonating the Social Security Administration (SSA) that contain links and use legitimate SSA terminology like 'Secure Message' or 'SSA Statement Viewer', but are sent from non-government domains by unsolicited or suspicious senders.

Sublime rule (View on GitHub)

 1name: "Impersonation: Social Security Administration with secure message language"
 2description: "Detects messages impersonating the Social Security Administration (SSA) that contain links and use legitimate SSA terminology like 'Secure Message' or 'SSA Statement Viewer', but are sent from non-government domains by unsolicited or suspicious senders."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    not profile.by_sender().solicited
 9    or (
10      profile.by_sender().any_messages_malicious_or_spam
11      and not profile.by_sender().any_messages_benign
12    )
13  )
14  // Identifies as SSA without catching strings such as "Alyssa"
15  and (
16    regex.contains(sender.display_name, '^SSA\b')
17    or strings.icontains(sender.display_name, "Social Security Administration")
18  )
19  // Contains a link
20  and length(body.links) >= 1
21  
22  // Not from a .gov domain
23  and not sender.email.domain.tld == ".gov"
24  
25  // Secure messsage wording
26  and (
27    strings.icontains(body.current_thread.text, "Secure Message")
28    or strings.contains(body.current_thread.text, "SSA Statement Viewer")
29    // real SSA phone number
30    or strings.icontains(body.current_thread.text, "1-800-772-1213")
31  )  
32
33attack_types:
34  - "BEC/Fraud"
35  - "Credential Phishing"
36tactics_and_techniques:
37  - "Impersonation: Brand"
38  - "Social engineering"
39detection_methods:
40  - "Content analysis"
41  - "Sender analysis"
42  - "URL analysis"
43id: "6196767e-6264-5833-96f3-d1e34424d7b5"
to-top