Brand Impersonation: Social Security Administration (SSA)
Detects messages impersonating the Social Security Administration (SSA) that contain links, a suspicious indicator, and are sent from non-government domains by unsolicited or suspicious senders.
Sublime rule (View on GitHub)
1name: "Brand Impersonation: Social Security Administration (SSA)"
2description: "Detects messages impersonating the Social Security Administration (SSA) that contain links, a suspicious indicator, and are sent from non-government domains by unsolicited or suspicious senders."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 // Identifies as SSA without catching strings such as "Alyssa"
8 and (
9 regex.contains(sender.display_name, '^SSA\b')
10 or strings.icontains(sender.display_name, "Social Security Administration")
11 // there are confusables in the display name
12 or (
13 strings.replace_confusables(sender.display_name) != sender.display_name
14 and strings.contains(strings.replace_confusables(sender.display_name),
15 "SSA"
16 )
17 )
18 or any([sender.display_name, subject.subject],
19 regex.icontains(strings.replace_confusables(.),
20 'Social (?:benefits|security|s.a\b)',
21 )
22 )
23 or (
24 any(attachments,
25 .file_type in ("doc", "docx")
26 and any(file.explode(.),
27 strings.icontains(.scan.strings.raw,
28 "Social Security Administration"
29 )
30 )
31 )
32 )
33 // display name or subject references a statement
34 or (
35 any([sender.display_name, subject.subject],
36 regex.icontains(strings.replace_confusables(.),
37 '(Digital|(e[[:punct:]]?))\s?Statements?.{0,10}(Generated|Created|Issued|Ready)'
38 )
39 )
40 // with SSA impersonation in the body
41 and strings.icontains(body.current_thread.text,
42 'Social Security Administration'
43 )
44 )
45 or any(html.xpath(body.html, '//title').nodes,
46 (
47 strings.icontains(.inner_text, 'Social Security')
48 and (
49 strings.icontains(.inner_text, 'Statement')
50 or strings.icontains(.inner_text, 'Notification')
51 or strings.icontains(.inner_text, 'Document')
52 or strings.icontains(.inner_text, 'Message')
53 or strings.icontains(.inner_text, 'Important Update')
54 or strings.icontains(.inner_text, 'Benefit Amount')
55 or strings.icontains(.inner_text, 'Account')
56 or strings.icontains(.inner_text, 'Authorization')
57 )
58 )
59 or .inner_text =~ "Social Security Administration"
60 or .inner_text =~ "Social Security"
61 )
62 )
63
64 // Not from a .gov domain
65 and not (sender.email.domain.tld == "gov" and headers.auth_summary.dmarc.pass)
66
67 // Additional suspicious indicator
68 and (
69 any(ml.nlu_classifier(body.current_thread.text).topics,
70 .name in ("Security and Authentication", "Secure Message")
71 and .confidence == "high"
72 )
73 or any(ml.nlu_classifier(body.current_thread.text).entities,
74 .name == "org" and .text == "SSA"
75 )
76 or length(body.current_thread.text) == 0
77 or body.current_thread.text is null
78 or strings.icontains(body.current_thread.text, "SSA Statement Viewer")
79 or strings.icontains(strings.replace_confusables(body.current_thread.text),
80 "Social Security Statement"
81 )
82 or regex.icontains(body.current_thread.text,
83 "(?:view|open) (?:your|the).{0,8} (statement|document)"
84 )
85 or regex.icontains(body.current_thread.text,
86 "(?:view|open|assess|evaluate|review|conduct|read|scan)"
87 )
88 // real SSA phone number
89 or strings.icontains(body.current_thread.text, "1-800-772-1213")
90 or any(body.links,
91 any(regex.extract(.href_url.path, '\.(?P<ext>[^./?#]+)(?:[?#]|$)'),
92 .named_groups["ext"] in $file_extensions_executables
93 )
94 )
95 or any(ml.logo_detect(file.message_screenshot()).brands,
96 .name == "SSA" and .confidence == "high"
97 )
98 or (
99 any(attachments,
100 .file_type in ("doc", "docx")
101 and any(file.explode(.),
102 strings.icontains(.scan.strings.raw, "suspended")
103 or strings.icontains(.scan.strings.raw, "fraudulent")
104 or strings.icontains(.scan.strings.raw, "violated")
105 or strings.icontains(.scan.strings.raw, "false identity")
106 or regex.icontains(.scan.strings.raw,
107 '\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}',
108 '\+?([ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4}'
109 )
110 )
111 )
112 )
113 )
114 and not (
115 any(ml.nlu_classifier(body.current_thread.text).topics,
116 .name in (
117 "Newsletters and Digests",
118 "Advertising and Promotions",
119 "Events and Webinars",
120 "Charity and Non-Profit",
121 "Political Mail"
122 )
123 and .confidence == "high"
124 )
125 or any(ml.nlu_classifier(body.current_thread.text).intents,
126 .name == "benign" and .confidence == "high"
127 )
128 )
129 and not (
130 sender.email.email in ("email@email.monarch.com", "contact@govplus.com")
131 and coalesce(headers.auth_summary.dmarc.pass, false)
132 )
133
134 // not a forward or reply
135 and (headers.in_reply_to is null or length(headers.references) == 0)
136 and not (
137 sender.email.domain.root_domain in $high_trust_sender_root_domains
138 and coalesce(headers.auth_summary.dmarc.pass, false)
139 )
140attack_types:
141 - "BEC/Fraud"
142 - "Credential Phishing"
143tactics_and_techniques:
144 - "Impersonation: Brand"
145 - "Social engineering"
146detection_methods:
147 - "Content analysis"
148 - "Sender analysis"
149 - "URL analysis"
150id: "6196767e-6264-5833-96f3-d1e34424d7b5"