Impersonation: Suspected supplier impersonation with suspicious content
This rule detects supplier impersonation by checking for: similar linked domains to the sender, non-freemail senders using freemail infrastructure, sender domains less than 90 days old, unsolicited communication or no prior interaction with the reply-to address, and a suspicious body.
Sublime rule (View on GitHub)
1name: "Impersonation: Suspected supplier impersonation with suspicious content"
2description: "This rule detects supplier impersonation by checking for: similar linked domains to the sender, non-freemail senders using freemail infrastructure, sender domains less than 90 days old, unsolicited communication or no prior interaction with the reply-to address, and a suspicious body."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 // a linked domain is similar but not the same as the sender domain
8 and any(body.links,
9 0 < strings.levenshtein(.href_url.domain.sld, sender.email.domain.sld) <= 2
10 )
11 // the sender is not a freemail, but the message or the in-reply-to indicates it traversed a freemail infrastructure, likely an auto forwarding rule
12 and (
13 sender.email.domain.root_domain not in $free_email_providers
14 and (
15 any(headers.references, any($free_email_providers, strings.contains(.., .)))
16 or any($free_email_providers, strings.contains(headers.in_reply_to, .))
17 )
18 )
19 // the sender domain is less than 90 days old and was not solicited, nor ever communicated with
20 and (
21 network.whois(sender.email.domain).days_old < 90
22 and (
23 not profile.by_sender_domain().solicited
24 or // reply-to is not in $recipient_emails
25 any(headers.reply_to, .email.email not in $recipient_emails)
26 )
27 )
28 and (
29 2 of (
30 // language attempting to engage
31 (
32 any(ml.nlu_classifier(body.current_thread.text).entities,
33 .name == "request"
34 )
35 and any(ml.nlu_classifier(body.current_thread.text).entities,
36 .name == "financial"
37 )
38 ),
39 // payment tag high confidence
40 any(ml.nlu_classifier(body.current_thread.text).tags,
41 .name == "payment" and .confidence == "high"
42 ),
43 // invoicing language
44 any(ml.nlu_classifier(body.current_thread.text).tags, .name == "invoice"),
45
46 // urgency request
47 any(ml.nlu_classifier(body.current_thread.text).entities,
48 .name == "urgency"
49 )
50 )
51 )
52attack_types:
53 - "BEC/Fraud"
54tactics_and_techniques:
55 - "Evasion"
56 - "Free email provider"
57 - "Lookalike domain"
58 - "Social engineering"
59detection_methods:
60 - "Content analysis"
61 - "Header analysis"
62 - "Natural Language Understanding"
63 - "Sender analysis"
64 - "URL analysis"
65 - "Whois"
66id: "63d8b1ce-7409-58d9-aa78-fffba12bba29"