Impersonation: Social Security Administration (SSA)

calendar Apr 1, 2026  ·
Share on: linkedin copy

Detects messages impersonating the Social Security Administration (SSA) that contain links, a suspicious indicator, and are sent from non-government domains by unsolicited or suspicious senders.

Sublime rule (View on GitHub)

  1name: "Impersonation: Social Security Administration (SSA)"
  2description: "Detects messages impersonating the Social Security Administration (SSA) that contain links, a suspicious indicator, and are sent from non-government domains by unsolicited or suspicious senders."
  3type: "rule"
  4severity: "medium"
  5source: |
  6  type.inbound
  7  and length(attachments) < 2
  8  // Identifies as SSA without catching strings such as "Alyssa"
  9  and (
 10    regex.contains(sender.display_name, '^SSA\b')
 11    or strings.icontains(sender.display_name, "Social Security Administration")
 12    // there are confusables in the display name
 13    or (
 14      strings.replace_confusables(sender.display_name) != sender.display_name
 15      and strings.contains(strings.replace_confusables(sender.display_name),
 16                           "SSA"
 17      )
 18    )
 19    or any([sender.display_name, subject.subject],
 20           regex.icontains(strings.replace_confusables(.),
 21                           'Social (?:benefits|security)',
 22           )
 23    )
 24    or (
 25      any(attachments,
 26          .file_type in ("doc", "docx")
 27          and any(file.explode(.),
 28                  strings.icontains(.scan.strings.raw,
 29                                    "Social Security Administration"
 30                  )
 31          )
 32      )
 33    )
 34    // display name or subject references a statement
 35    or (
 36      any([sender.display_name, subject.subject],
 37          regex.icontains(strings.replace_confusables(.),
 38                          '(Digital|(e[[:punct:]]?))\s?Statements?.{0,10}(Generated|Created|Issued|Ready)'
 39          )
 40      )
 41      // with SSA impersonation in the body
 42      and strings.icontains(body.current_thread.text,
 43                            'Social Security Administration'
 44      )
 45    )
 46    or any(html.xpath(body.html, '//title').nodes,
 47           (
 48             strings.icontains(.inner_text, 'Social Security')
 49             and (
 50               strings.icontains(.inner_text, 'Statement')
 51               or strings.icontains(.inner_text, 'Notification')
 52               or strings.icontains(.inner_text, 'Document')
 53               or strings.icontains(.inner_text, 'Message')
 54               or strings.icontains(.inner_text, 'Important Update')
 55               or strings.icontains(.inner_text, 'Benefit Amount')
 56               or strings.icontains(.inner_text, 'Account')
 57               or strings.icontains(.inner_text, 'Authorization')
 58             )
 59           )
 60           or .inner_text =~ "Social Security Administration"
 61           or .inner_text =~ "Social Security"
 62    )
 63  )
 64  
 65  // Not from a .gov domain
 66  and not (sender.email.domain.tld == "gov" and headers.auth_summary.dmarc.pass)
 67  
 68  // Additional suspicious indicator
 69  and (
 70    any(ml.nlu_classifier(body.current_thread.text).topics,
 71        .name == "Secure Message" and .confidence == "high"
 72    )
 73    or strings.icontains(body.current_thread.text, "SSA Statement Viewer")
 74    or strings.icontains(strings.replace_confusables(body.current_thread.text),
 75                         "Social Security Statement"
 76    )
 77    or regex.icontains(body.current_thread.text,
 78                       "(?:view|open) (?:your|the).{0,8} (statement|document)"
 79    )
 80    // real SSA phone number
 81    or strings.icontains(body.current_thread.text, "1-800-772-1213")
 82    or any(body.links,
 83           any(regex.extract(.href_url.path, '\.(?P<ext>[^./?#]+)(?:[?#]|$)'),
 84               .named_groups["ext"] in $file_extensions_executables
 85           )
 86    )
 87    or any(ml.logo_detect(file.message_screenshot()).brands,
 88           .name == "SSA" and .confidence == "high"
 89    )
 90    or (
 91      any(attachments,
 92          .file_type in ("doc", "docx")
 93          and any(file.explode(.),
 94                  strings.icontains(.scan.strings.raw, "suspended")
 95                  or strings.icontains(.scan.strings.raw, "fraudulent")
 96                  or strings.icontains(.scan.strings.raw, "violated")
 97                  or strings.icontains(.scan.strings.raw, "false identity")
 98                  or regex.icontains(.scan.strings.raw,
 99                                     '\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}',
100                                     '\+?([ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4}'
101                  )
102          )
103      )
104    )
105  )
106  and not any(ml.nlu_classifier(body.current_thread.text).topics,
107              .name in (
108                "Newsletters and Digests",
109                "Advertising and Promotions",
110                "Events and Webinars"
111              )
112              and .confidence == "high"
113  )
114  // not a forward or reply
115  and (headers.in_reply_to is null or length(headers.references) == 0)
116  and (
117    not profile.by_sender().solicited
118    or (
119      profile.by_sender().any_messages_malicious_or_spam
120      and not profile.by_sender().any_messages_benign
121    )
122  )
123  and not (
124    sender.email.domain.root_domain in $high_trust_sender_root_domains
125    and coalesce(headers.auth_summary.dmarc.pass, false)
126  )  
127attack_types:
128  - "BEC/Fraud"
129  - "Credential Phishing"
130tactics_and_techniques:
131  - "Impersonation: Brand"
132  - "Social engineering"
133detection_methods:
134  - "Content analysis"
135  - "Sender analysis"
136  - "URL analysis"
137id: "6196767e-6264-5833-96f3-d1e34424d7b5"
to-top