Impersonation: Suspected supplier impersonation with suspicious content

This rule detects supplier impersonation by checking for: similar linked domains to the sender, non-freemail senders using freemail infrastructure, sender domains less than 90 days old, unsolicited communication or no prior interaction with the reply-to address, and a suspicious body.

Sublime rule (View on GitHub)

 1name: "Impersonation: Suspected supplier impersonation with suspicious content"
 2description: "This rule detects supplier impersonation by checking for: similar linked domains to the sender, non-freemail senders using freemail infrastructure, sender domains less than 90 days old, unsolicited communication or no prior interaction with the reply-to address, and a suspicious body."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  // a linked domain is similar but not the same as the sender domain
 8  and any(body.links,
 9          0 < strings.levenshtein(.href_url.domain.sld, sender.email.domain.sld) <= 2
10  )
11  // the sender is not a freemail, but the message or the in-reply-to indicates it traversed a freemail infrastructure, likely an auto forwarding rule
12  and (
13    sender.email.domain.root_domain not in $free_email_providers
14    and (
15      any(headers.references, any($free_email_providers, strings.contains(.., .)))
16      or any($free_email_providers, strings.contains(headers.in_reply_to, .))
17    )
18  )
19  // the sender domain is less than 90 days old and was not solicited, nor ever communicated with
20  and (
21    beta.whois(sender.email.domain).days_old < 90
22    and (
23      not profile.by_sender_domain().solicited
24      or // reply-to is not in $recipient_emails
25   any(headers.reply_to, .email.email not in $recipient_emails)
26    )
27  )
28  and (
29    2 of (
30      // language attempting to engage
31      (
32        any(ml.nlu_classifier(body.current_thread.text).entities,
33            .name == "request"
34        )
35        and any(ml.nlu_classifier(body.current_thread.text).entities,
36                .name == "financial"
37        )
38      ),
39      // payment tag high confidence 
40      any(ml.nlu_classifier(body.current_thread.text).tags,
41          .name == "payment" and .confidence == "high"
42      ),
43      // invoicing language
44      any(ml.nlu_classifier(body.current_thread.text).tags, .name == "invoice"),
45  
46      // urgency request
47      any(ml.nlu_classifier(body.current_thread.text).entities,
48          .name == "urgency"
49      )
50    )
51  )  
52attack_types:
53  - "BEC/Fraud"
54tactics_and_techniques:
55  - "Evasion"
56  - "Free email provider"
57  - "Lookalike domain"
58  - "Social engineering"
59detection_methods:
60  - "Content analysis"
61  - "Header analysis"
62  - "Natural Language Understanding"
63  - "Sender analysis"
64  - "URL analysis"
65  - "Whois"
66id: "63d8b1ce-7409-58d9-aa78-fffba12bba29"
to-top