VIP impersonation with urgent request (untrusted sender)
Sender is using a display name that matches the display name of someone in your $org_vips list.
Detects potential Business Email Compromise (BEC) attacks by analyzing text within email body from untrusted senders.
Sublime rule (View on GitHub)
1name: "VIP impersonation with urgent request (untrusted sender)"
2description: |
3 Sender is using a display name that matches the display name of someone in your $org_vips list.
4
5 Detects potential Business Email Compromise (BEC) attacks by analyzing text within email body from untrusted senders.
6type: "rule"
7severity: "high"
8source: |
9 type.inbound
10 and any($org_vips, .display_name =~ sender.display_name)
11 and (
12 any(ml.nlu_classifier(body.current_thread.text).intents,
13 .name == "bec" and .confidence in ("medium", "high")
14 )
15 or (
16 any(ml.nlu_classifier(body.current_thread.text).entities,
17 .name == "urgency"
18 )
19 and any(ml.nlu_classifier(body.current_thread.text).entities,
20 .name == "request"
21 )
22 )
23 )
24 and (
25 (
26 profile.by_sender().prevalence != "common"
27 and not profile.by_sender().solicited
28 )
29 or (
30 profile.by_sender().any_messages_malicious_or_spam
31 and not profile.by_sender().any_false_positives
32 )
33 )
34
35 // negate highly trusted sender domains unless they fail DMARC authentication
36 and (
37 (
38 sender.email.domain.root_domain in $high_trust_sender_root_domains
39 and (
40 any(distinct(headers.hops, .authentication_results.dmarc is not null),
41 strings.ilike(.authentication_results.dmarc, "*fail")
42 )
43 )
44 )
45 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
46 )
47
48 and not profile.by_sender().any_false_positives
49
50attack_types:
51 - "BEC/Fraud"
52tactics_and_techniques:
53 - "Impersonation: VIP"
54 - "Social engineering"
55detection_methods:
56 - "Content analysis"
57 - "Content analysis"
58 - "Natural Language Understanding"
59 - "Sender analysis"
60id: "0dd1fa60-6e89-5f70-81a1-6b64eef0e428"