VIP impersonation with invoicing request

 1name: "VIP impersonation with invoicing request"
 2description: "This rule detects emails attempting to impersonate a VIP, it leverages NLU to determine if there is invoicing verbiage in the current thread, and requires request language."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and any($org_vips, strings.contains(sender.display_name, .display_name))
 8  and (
 9    (
10      sender.email.domain.domain in $org_domains
11      // X-headers indicate external sender
12      and headers.x_authenticated_sender.email != sender.email.email
13      and headers.x_authenticated_domain.domain not in $org_domains
14    )
15    or sender.email.domain.domain not in $org_domains
16  )
17  
18  // Invoice Language with a request
19  and (
20    any(ml.nlu_classifier(body.current_thread.text).tags,
21        .name == "invoice"
22        and .confidence in ("medium", "high")
23        and any(ml.nlu_classifier(body.current_thread.text).entities,
24                .name == "request"
25        )
26    )
27  )
28  
29  // and the reply to email address has never been contacted  
30  and any(headers.reply_to, .email.email not in $recipient_emails)
31  
32  // negate highly trusted sender domains unless they fail DMARC authentication
33  and (
34    (
35      sender.email.domain.root_domain in $high_trust_sender_root_domains
36      and not headers.auth_summary.dmarc.pass
37    )
38    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
39  )
40    
41attack_types:
42  - "BEC/Fraud"
43tactics_and_techniques:
44  - "Impersonation: VIP"
45detection_methods:
46  - "Content analysis"
47  - "Header analysis"
48  - "Natural Language Understanding"
49
50id: "a60f89a0-6cd0-5c2d-96de-8800380df407"