VIP impersonation with w2 request with reply-to mismatch

 1name: "VIP impersonation with w2 request with reply-to mismatch"
 2description: "This rule detects emails attempting to impersonate a VIP requesting a W-2 with a reply-to mismatch."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and (
 8    any($org_vips, strings.contains(sender.display_name, .display_name))
 9    or any(regex.extract(sender.display_name, '^(?<first>\S+)\s+(?<second>\S+)$'),
10           any($org_vips,
11               strings.contains(.display_name, ..named_groups["first"])
12               and strings.contains(.display_name, ..named_groups["second"])
13           )
14    )
15  )
16  and not (
17    sender.email.domain.domain in $org_domains
18    and coalesce(headers.auth_summary.dmarc.pass, false)
19  )
20  
21  // W-2 Language with a request
22  and (
23    strings.contains(strings.replace_confusables(subject.base), 'W-2')
24    or strings.icontains(subject.base, 'w2')
25    or strings.icontains(subject.base, 'wage')
26    or strings.icontains(subject.base, 'tax form')
27    or strings.icontains(subject.base, 'irs')
28  )
29  and strings.contains(body.current_thread.text, 'W-2')
30  and any(ml.nlu_classifier(body.current_thread.text).entities,
31          .name == "request"
32  )
33  
34  // different reply-to address
35  and length(headers.reply_to) > 0
36  and sender.email.email not in map(headers.reply_to, .email.email)
37  
38  // negate highly trusted sender domains unless they fail DMARC authentication
39  and not (
40    sender.email.domain.root_domain in $high_trust_sender_root_domains
41    and coalesce(headers.auth_summary.dmarc.pass, false)
42  )  
43attack_types:
44  - "BEC/Fraud"
45tactics_and_techniques:
46  - "Impersonation: VIP"
47detection_methods:
48  - "Content analysis"
49  - "Header analysis"
50  - "Natural Language Understanding"
51id: "e7e73fad-6ce6-51f9-9b52-40eaef71f5a1"