Impersonation: Suspected supplier impersonation with suspicious content
This rule detects supplier impersonation by checking for: similar linked domains to the sender, non-freemail senders using freemail infrastructure, sender domains less than 90 days old, unsolicited communication or no prior interaction with the reply-to address, and a suspicious body.
Sublime rule (View on GitHub)
1name: "Impersonation: Suspected supplier impersonation with suspicious content"
2description: "This rule detects supplier impersonation by checking for: similar linked domains to the sender, non-freemail senders using freemail infrastructure, sender domains less than 90 days old, unsolicited communication or no prior interaction with the reply-to address, and a suspicious body."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7
8 // a linked domain is similar but not the same as the sender domain
9 and any(body.links,
10 length(.href_url.domain.sld) > 3
11 and 0 < strings.levenshtein(.href_url.domain.sld,
12 sender.email.domain.sld
13 ) <= 2
14 and not sender.email.domain.root_domain == "onmicrosoft.com"
15
16 // looking for lookalike domains above, typically the registrars won't match
17 and network.whois(sender.email.domain).registrar_name != network.whois(.href_url.domain
18 ).registrar_name
19
20 // and one of the domains is less than 30 days old
21 and (
22 network.whois(sender.email.domain).days_old < 30
23 or network.whois(.href_url.domain).days_old < 30
24 )
25 )
26 // the sender is not a freemail, but the message or the in-reply-to indicates it traversed a freemail infrastructure, likely an auto forwarding rule. Or the sender or reply-to domain is new
27 and (
28 sender.email.domain.root_domain not in $free_email_providers
29 and (
30 any(headers.references,
31 any($free_email_providers, strings.contains(.., .))
32 and not strings.ends_with(., "outlook.com")
33 )
34 or (
35 any($free_email_providers,
36 strings.contains(headers.in_reply_to, .)
37 and not strings.ends_with(headers.in_reply_to, 'outlook.com')
38 )
39 // with the suspicious traversal tolerate 90 days
40 and network.whois(sender.email.domain).days_old < 90
41 )
42 or any(headers.reply_to,
43 network.whois(.email.domain).days_old < 30
44 and .email.email != sender.email.email
45 )
46 )
47 )
48
49 // not solicited, nor ever communicated with
50 and (
51 not profile.by_sender_domain().solicited
52 or // reply-to is not in $recipient_emails
53 any(headers.reply_to, .email.email not in $recipient_emails)
54 )
55 and (
56 2 of (
57 // language attempting to engage
58 (
59 any(ml.nlu_classifier(coalesce(body.plain.raw, body.current_thread.text)).entities,
60 .name == "request"
61 )
62 and any(ml.nlu_classifier(coalesce(body.plain.raw,
63 body.current_thread.text
64 )
65 ).entities,
66 .name == "financial"
67 )
68 ),
69 // payment tag high confidence
70 any(ml.nlu_classifier(coalesce(body.plain.raw, body.current_thread.text)).tags,
71 .name == "payment" and .confidence == "high"
72 ),
73 // invoicing language
74 any(ml.nlu_classifier(coalesce(body.plain.raw, body.current_thread.text)).tags,
75 .name == "invoice"
76 ),
77
78 // urgency request
79 any(ml.nlu_classifier(coalesce(body.plain.raw, body.current_thread.text)).entities,
80 .name == "urgency"
81 )
82 )
83 )
84attack_types:
85 - "BEC/Fraud"
86tactics_and_techniques:
87 - "Evasion"
88 - "Free email provider"
89 - "Lookalike domain"
90 - "Social engineering"
91detection_methods:
92 - "Content analysis"
93 - "Header analysis"
94 - "Natural Language Understanding"
95 - "Sender analysis"
96 - "URL analysis"
97 - "Whois"
98id: "63d8b1ce-7409-58d9-aa78-fffba12bba29"