VIP impersonation with w2 request with reply-to mismatch

 1name: "VIP impersonation with w2 request with reply-to mismatch"
 2description: "This rule detects emails attempting to impersonate a VIP requesting a W-2 with a reply-to mismatch."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and any($org_vips, strings.contains(sender.display_name, .display_name))
 8  and not (
 9    sender.email.domain.domain in $org_domains
10    and coalesce(headers.auth_summary.dmarc.pass, false)
11  )
12  
13  // W-2 Language with a request
14  and (
15    strings.contains(strings.replace_confusables(subject.base), 'W-2')
16    or strings.icontains(subject.base, 'w2')
17    or strings.icontains(subject.base, 'wage')
18    or strings.icontains(subject.base, 'tax form')
19    or strings.icontains(subject.base, 'irs')
20  )
21  and strings.contains(body.current_thread.text, 'W-2')
22  and any(ml.nlu_classifier(body.current_thread.text).entities,
23          .name == "request"
24  )
25  
26  // different reply-to address
27  and length(headers.reply_to) > 0
28  and sender.email.email not in map(headers.reply_to, .email.email)
29  
30  // negate highly trusted sender domains unless they fail DMARC authentication
31  and not (
32    sender.email.domain.root_domain in $high_trust_sender_root_domains
33    and coalesce(headers.auth_summary.dmarc.pass, false)
34  )  
35attack_types:
36  - "BEC/Fraud"
37tactics_and_techniques:
38  - "Impersonation: VIP"
39detection_methods:
40  - "Content analysis"
41  - "Header analysis"
42  - "Natural Language Understanding"
43id: "e7e73fad-6ce6-51f9-9b52-40eaef71f5a1"