Impersonation: Suspected supplier impersonation with suspicious content

calendar May 21, 2024  ·
Share on: linkedin copy

This rule detects supplier impersonation by checking for: similar linked domains to the sender, non-freemail senders using freemail infrastructure, sender domains less than 90 days old, unsolicited communication or no prior interaction with the reply-to address, and a suspicious body.

Sublime rule (View on GitHub)

 1name: "Impersonation: Suspected supplier impersonation with suspicious content"
 2description: "This rule detects supplier impersonation by checking for: similar linked domains to the sender, non-freemail senders using freemail infrastructure, sender domains less than 90 days old, unsolicited communication or no prior interaction with the reply-to address, and a suspicious body."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  
 8  // a linked domain is similar but not the same as the sender domain
 9  and any(body.links,
10          length(.href_url.domain.sld) > 3
11          and 0 < strings.levenshtein(.href_url.domain.sld,
12                                      sender.email.domain.sld
13          ) <= 2
14          and not sender.email.domain.root_domain == "onmicrosoft.com"
15  
16          // looking for lookalike domains above, typically the registrars won't match
17          and network.whois(sender.email.domain).registrar_name != network.whois(.href_url.domain
18          ).registrar_name
19  
20          // and one of the domains is less than 30 days old
21          and (
22            network.whois(sender.email.domain).days_old < 30
23            or network.whois(.href_url.domain).days_old < 30
24          )
25  )
26  // the sender is not a freemail, but the message or the in-reply-to indicates it traversed a freemail infrastructure, likely an auto forwarding rule. Or the sender or reply-to domain is new
27  and (
28    sender.email.domain.root_domain not in $free_email_providers
29    and (
30      any(headers.references,
31          any($free_email_providers, strings.contains(.., .))
32          and not strings.ends_with(., "outlook.com")
33      )
34      or (
35        any($free_email_providers,
36            strings.contains(headers.in_reply_to, .)
37            and not strings.ends_with(headers.in_reply_to, 'outlook.com')
38        )
39        // with the suspicious traversal tolerate 90 days
40        and network.whois(sender.email.domain).days_old < 90
41      )
42      or any(headers.reply_to,
43             network.whois(.email.domain).days_old < 30
44             and .email.email != sender.email.email
45      )
46    )
47  )
48  
49  //  not solicited, nor ever communicated with
50  and (
51    not profile.by_sender_domain().solicited
52    or // reply-to is not in $recipient_emails
53   any(headers.reply_to, .email.email not in $recipient_emails)
54  )
55  and (
56    2 of (
57      // language attempting to engage
58      (
59        any(ml.nlu_classifier(body.current_thread.text).entities,
60            .name == "request"
61        )
62        and any(ml.nlu_classifier(body.current_thread.text).entities,
63                .name == "financial"
64        )
65      ),
66      // payment tag high confidence 
67      any(ml.nlu_classifier(body.current_thread.text).tags,
68          .name == "payment" and .confidence == "high"
69      ),
70      // invoicing language
71      any(ml.nlu_classifier(body.current_thread.text).tags, .name == "invoice"),
72  
73      // urgency request
74      any(ml.nlu_classifier(body.current_thread.text).entities,
75          .name == "urgency"
76      )
77    )
78  )  
79attack_types:
80  - "BEC/Fraud"
81tactics_and_techniques:
82  - "Evasion"
83  - "Free email provider"
84  - "Lookalike domain"
85  - "Social engineering"
86detection_methods:
87  - "Content analysis"
88  - "Header analysis"
89  - "Natural Language Understanding"
90  - "Sender analysis"
91  - "URL analysis"
92  - "Whois"
93id: "63d8b1ce-7409-58d9-aa78-fffba12bba29"
to-top