VIP impersonation with BEC language (near match, untrusted sender)

 1name: "VIP impersonation with BEC language (near match, untrusted sender)"
 2description: |
 3  Sender is using a display name that matches the display name of someone in your $org_vips list.
 4
 5  Detects potential Business Email Compromise (BEC) attacks by analyzing text within email body from untrusted senders.  
 6type: "rule"
 7severity: "medium"
 8source: |
 9  type.inbound
10  and any($org_vips,
11          0 <= strings.ilevenshtein(sender.display_name, .display_name) < 4
12  )
13  and any(ml.nlu_classifier(body.current_thread.text).intents,
14          .name == "bec" and .confidence in ("medium", "high")
15  )
16  and (
17    (
18      profile.by_sender().prevalence != "common"
19      and not profile.by_sender().solicited
20    )
21    or (
22      profile.by_sender().any_messages_malicious_or_spam
23      and not profile.by_sender().any_messages_benign
24    )
25    or profile.by_sender().days_since.last_outbound > 365
26  )
27  // negate sharepoint notifications originating from within the org
28  and not (
29    sender.email.email in ('no-reply@sharepointonline.com')
30    and length(headers.reply_to) > 0
31    and all(headers.reply_to, .email.domain.root_domain in $org_domains)
32  )
33  // negate highly trusted sender domains unless they fail DMARC authentication
34  and (
35    (
36      sender.email.domain.root_domain in $high_trust_sender_root_domains
37      and not headers.auth_summary.dmarc.pass
38    )
39    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
40  )
41  and not profile.by_sender().any_messages_benign  
42tags:
43  - "Attack surface reduction"
44attack_types:
45  - "BEC/Fraud"
46tactics_and_techniques:
47  - "Impersonation: VIP"
48  - "Social engineering"
49detection_methods:
50  - "Content analysis"
51  - "Natural Language Understanding"
52  - "Sender analysis"
53id: "303081da-6850-5ba6-9589-c3dc7673320e"