VIP impersonation with urgent request (strict match, untrusted sender)

calendar Mar 25, 2026  ·
Share on: linkedin copy

Sender is using a display name that matches the display name of someone in your $org_vips list.

Detects potential Business Email Compromise (BEC) attacks by analyzing text within email body from untrusted senders.

Sublime rule (View on GitHub)

 1name: "VIP impersonation with urgent request (strict match, untrusted sender)"
 2description: |
 3  Sender is using a display name that matches the display name of someone in your $org_vips list.
 4
 5  Detects potential Business Email Compromise (BEC) attacks by analyzing text within email body from untrusted senders.  
 6type: "rule"
 7severity: "high"
 8source: |
 9  type.inbound
10  and any($org_vips, .display_name =~ sender.display_name)
11  and (
12    any(ml.nlu_classifier(body.current_thread.text).intents,
13        .name == "bec" and .confidence in ("medium", "high")
14    )
15    or (
16      any(ml.nlu_classifier(body.current_thread.text).entities,
17          .name == "urgency"
18      )
19      and any(ml.nlu_classifier(body.current_thread.text).entities,
20              .name == "request"
21      )
22    )
23  )
24  and (
25    (
26      profile.by_sender().prevalence != "common"
27      and not profile.by_sender().solicited
28    )
29    or (
30      profile.by_sender().any_messages_malicious_or_spam
31      and not profile.by_sender().any_messages_benign
32    )
33    or profile.by_sender().days_since.last_outbound > 365
34  )
35  // negate sharepoint notifications originating from within the org
36  and not (
37    sender.email.email in ('no-reply@sharepointonline.com')
38    and length(headers.reply_to) > 0
39    and all(headers.reply_to, .email.domain.root_domain in $org_domains)
40  )
41  // negate highly trusted sender domains unless they fail DMARC authentication
42  and (
43    (
44      sender.email.domain.root_domain in $high_trust_sender_root_domains
45      and not headers.auth_summary.dmarc.pass
46    )
47    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
48  )
49  and not profile.by_sender().any_messages_benign  
50attack_types:
51  - "BEC/Fraud"
52tactics_and_techniques:
53  - "Impersonation: VIP"
54  - "Social engineering"
55detection_methods:
56  - "Content analysis"
57  - "Content analysis"
58  - "Natural Language Understanding"
59  - "Sender analysis"
60id: "0dd1fa60-6e89-5f70-81a1-6b64eef0e428"
to-top