VIP impersonation with urgent request (first-time sender)

 1name: "VIP impersonation with urgent request (first-time sender)"
 2description: |
 3  Sender is using a display name that matches the display name of someone in your $org_vips list.
 4
 5  Detects potential Business Email Compromise (BEC) attacks by analyzing text within email body first-time senders.  
 6type: "rule"
 7severity: "high"
 8source: |
 9  type.inbound
10  and any($org_vips, .display_name == sender.display_name)
11  and (
12    any(ml.nlu_classifier(body.current_thread.text).intents, .name == "bec" and .confidence == "high")
13    or (
14      any(ml.nlu_classifier(body.current_thread.text).entities, .name == "urgency")
15      and any(ml.nlu_classifier(body.current_thread.text).entities, .name == "request")
16    )
17  )
18  // first-time sender
19  and (
20    (
21      sender.email.domain.root_domain in $free_email_providers
22      and sender.email.email not in $sender_emails
23    )
24    or (
25      sender.email.domain.root_domain not in $free_email_providers
26      and sender.email.domain.domain not in $sender_domains
27    )
28  )  
29attack_types:
30  - "BEC/Fraud"
31tactics_and_techniques:
32  - "Impersonation: VIP"
33  - "Social engineering"
34detection_methods:
35  - "Content analysis"
36  - "Content analysis"
37  - "Natural Language Understanding"
38  - "Sender analysis"
39id: "0dd1fa60-6e89-5f70-81a1-6b64eef0e428"