Impersonation: Social Security Administration (SSA)

calendar Oct 8, 2025  ·
Share on: linkedin copy

Detects messages impersonating the Social Security Administration (SSA) that contain links, a suspicious indicator, and are sent from non-government domains by unsolicited or suspicious senders.

Sublime rule (View on GitHub)

 1name: "Impersonation: Social Security Administration (SSA)"
 2description: "Detects messages impersonating the Social Security Administration (SSA) that contain links, a suspicious indicator, and are sent from non-government domains by unsolicited or suspicious senders."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  
 8  // Identifies as SSA without catching strings such as "Alyssa"
 9  and (
10    regex.contains(sender.display_name, '^SSA\b')
11    or strings.icontains(sender.display_name, "Social Security Administration")
12    // there are confusables in the display name
13    or (
14      strings.replace_confusables(sender.display_name) != sender.display_name
15      and strings.contains(strings.replace_confusables(sender.display_name), "SSA")
16    )
17    or any([sender.display_name, subject.subject],
18           regex.icontains(., 'Social (?:benefits|security)', )
19    )
20  )
21  // Contains a link
22  and length(body.links) >= 1
23  
24  // Not from a .gov domain
25  and not (sender.email.domain.tld == "gov" and headers.auth_summary.dmarc.pass)
26  
27  // Additional suspicious indicator
28  and (
29    any(ml.nlu_classifier(body.current_thread.text).topics,
30        .name == "Secure Message" and .confidence == "high"
31    )
32    or strings.contains(body.current_thread.text, "SSA Statement Viewer")
33    // real SSA phone number
34    or strings.icontains(body.current_thread.text, "1-800-772-1213")
35    or any(body.links,
36           any(regex.extract(.href_url.path, '\.(?P<ext>[^./?#]+)(?:[?#]|$)'),
37               .named_groups["ext"] in $file_extensions_executables
38           )
39    )
40    or any(ml.logo_detect(file.message_screenshot()).brands,
41           .name == "SSA" and .confidence == "high"
42    )
43  )
44  and not any(ml.nlu_classifier(body.current_thread.text).topics,
45              .name == "Newsletters and Digests" and .confidence == "high"
46  )
47  // not a forward or reply
48  and (headers.in_reply_to is null or length(headers.references) == 0)
49  and (
50    not profile.by_sender().solicited
51    or (
52      profile.by_sender().any_messages_malicious_or_spam
53      and not profile.by_sender().any_messages_benign
54    )
55  )
56  and not (
57    sender.email.domain.root_domain in $high_trust_sender_root_domains
58    and coalesce(headers.auth_summary.dmarc.pass, false)
59  )  
60
61attack_types:
62  - "BEC/Fraud"
63  - "Credential Phishing"
64tactics_and_techniques:
65  - "Impersonation: Brand"
66  - "Social engineering"
67detection_methods:
68  - "Content analysis"
69  - "Sender analysis"
70  - "URL analysis"
71id: "6196767e-6264-5833-96f3-d1e34424d7b5"
to-top