Impersonation: Social Security Administration (SSA)

Detects messages impersonating the Social Security Administration (SSA) that contain links, a suspicious indicator, and are sent from non-government domains by unsolicited or suspicious senders.

Sublime rule (View on GitHub)

 1name: "Impersonation: Social Security Administration (SSA)"
 2description: "Detects messages impersonating the Social Security Administration (SSA) that contain links, a suspicious indicator, and are sent from non-government domains by unsolicited or suspicious senders."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  
 8  // Identifies as SSA without catching strings such as "Alyssa"
 9  and (
10    regex.contains(sender.display_name, '^SSA\b')
11    or strings.icontains(sender.display_name, "Social Security Administration")
12    or any([sender.display_name, subject.subject],
13           regex.icontains(., 'Social (?:benefits|security)', )
14    )
15  )
16  
17  // Contains a link
18  and length(body.links) >= 1
19  
20  // Not from a .gov domain
21  and not (sender.email.domain.tld == "gov" and headers.auth_summary.dmarc.pass)
22  
23  // Additional suspicious indicator
24  and (
25    any(ml.nlu_classifier(body.current_thread.text).topics,
26        .name == "Secure Message" and .confidence == "high"
27    )
28    or strings.contains(body.current_thread.text, "SSA Statement Viewer")
29    // real SSA phone number
30    or strings.icontains(body.current_thread.text, "1-800-772-1213")
31    or any(body.links,
32           any(regex.extract(.href_url.path, '\.(?P<ext>[^./?#]+)(?:[?#]|$)'),
33               .named_groups["ext"] in $file_extensions_executables
34           )
35    )
36  )
37  and not any(ml.nlu_classifier(body.current_thread.text).topics,
38              .name == "Newsletters and Digests" and .confidence == "high"
39  )
40  // not a forward or reply
41  and (headers.in_reply_to is null or length(headers.references) == 0)
42  and (
43    not profile.by_sender().solicited
44    or (
45      profile.by_sender().any_messages_malicious_or_spam
46      and not profile.by_sender().any_messages_benign
47    )
48  )
49  and not (
50    sender.email.domain.root_domain in $high_trust_sender_root_domains
51    and coalesce(headers.auth_summary.dmarc.pass, false)
52  )  
53
54attack_types:
55  - "BEC/Fraud"
56  - "Credential Phishing"
57tactics_and_techniques:
58  - "Impersonation: Brand"
59  - "Social engineering"
60detection_methods:
61  - "Content analysis"
62  - "Sender analysis"
63  - "URL analysis"
64id: "6196767e-6264-5833-96f3-d1e34424d7b5"
to-top