Impersonation: Social Security Administration (SSA)
Detects messages impersonating the Social Security Administration (SSA) that contain links, a suspicious indicator, and are sent from non-government domains by unsolicited or suspicious senders.
Sublime rule (View on GitHub)
1name: "Impersonation: Social Security Administration (SSA)"
2description: "Detects messages impersonating the Social Security Administration (SSA) that contain links, a suspicious indicator, and are sent from non-government domains by unsolicited or suspicious senders."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7
8 // Identifies as SSA without catching strings such as "Alyssa"
9 and (
10 regex.contains(sender.display_name, '^SSA\b')
11 or strings.icontains(sender.display_name, "Social Security Administration")
12 // there are confusables in the display name
13 or (
14 strings.replace_confusables(sender.display_name) != sender.display_name
15 and strings.contains(strings.replace_confusables(sender.display_name), "SSA")
16 )
17 or any([sender.display_name, subject.subject],
18 regex.icontains(strings.replace_confusables(.), 'Social (?:benefits|security)', )
19 )
20 // display name or subject references a statement
21 or (
22 any([sender.display_name, subject.subject],
23 regex.icontains(strings.replace_confusables(.),
24 '(Digital|(e[[:punct:]]?))\s?Statements?.{0,10}(Generated|Created|Issued|Ready)'
25 )
26 )
27 // with SSA impersonation in the body
28 and strings.icontains(body.current_thread.text,
29 'Social Security Administration'
30 )
31 )
32 )
33 // Contains a link
34 and length(body.links) >= 1
35
36 // Not from a .gov domain
37 and not (sender.email.domain.tld == "gov" and headers.auth_summary.dmarc.pass)
38
39 // Additional suspicious indicator
40 and (
41 any(ml.nlu_classifier(body.current_thread.text).topics,
42 .name == "Secure Message" and .confidence == "high"
43 )
44 or strings.icontains(body.current_thread.text, "SSA Statement Viewer")
45 or strings.icontains(body.current_thread.text, "Social Security Statement")
46 or regex.icontains(body.current_thread.text,
47 "(?:view|open) (?:your|the).{0,8} (statement|document)"
48 )
49 // real SSA phone number
50 or strings.icontains(body.current_thread.text, "1-800-772-1213")
51 or any(body.links,
52 any(regex.extract(.href_url.path, '\.(?P<ext>[^./?#]+)(?:[?#]|$)'),
53 .named_groups["ext"] in $file_extensions_executables
54 )
55 )
56 or any(ml.logo_detect(file.message_screenshot()).brands,
57 .name == "SSA" and .confidence == "high"
58 )
59 )
60 and not any(ml.nlu_classifier(body.current_thread.text).topics,
61 .name in (
62 "Newsletters and Digests",
63 "Advertising and Promotions",
64 "Events and Webinars"
65 )
66 and .confidence == "high"
67 )
68 // not a forward or reply
69 and (headers.in_reply_to is null or length(headers.references) == 0)
70 and (
71 not profile.by_sender().solicited
72 or (
73 profile.by_sender().any_messages_malicious_or_spam
74 and not profile.by_sender().any_messages_benign
75 )
76 )
77 and not (
78 sender.email.domain.root_domain in $high_trust_sender_root_domains
79 and coalesce(headers.auth_summary.dmarc.pass, false)
80 )
81
82attack_types:
83 - "BEC/Fraud"
84 - "Credential Phishing"
85tactics_and_techniques:
86 - "Impersonation: Brand"
87 - "Social engineering"
88detection_methods:
89 - "Content analysis"
90 - "Sender analysis"
91 - "URL analysis"
92id: "6196767e-6264-5833-96f3-d1e34424d7b5"