VIP impersonation with w2 request

 1name: "VIP impersonation with w2 request"
 2description: "This rule detects emails attempting to impersonate a VIP requesting a W-2"
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and any($org_vips, strings.contains(sender.display_name, .display_name))
 8  and not (
 9    sender.email.domain.domain in $org_domains
10    and coalesce(headers.auth_summary.dmarc.pass, false)
11  )
12  
13  // W-2 Language with a request
14  and strings.contains(subject.base, 'W-2')
15  and strings.contains(body.current_thread.text, 'W-2')
16  and any(ml.nlu_classifier(body.current_thread.text).entities,
17          .name == "request"
18  )
19  
20  // deifferent reply-to address
21  and length(headers.reply_to) > 0
22  and sender.email.email not in map(headers.reply_to, .email.email)
23  
24  // negate highly trusted sender domains unless they fail DMARC authentication
25  and not (
26    sender.email.domain.root_domain in $high_trust_sender_root_domains
27    and coalesce(headers.auth_summary.dmarc.pass, false)
28  )  
29attack_types:
30  - "BEC/Fraud"
31tactics_and_techniques:
32  - "Impersonation: VIP"
33detection_methods:
34  - "Content analysis"
35  - "Header analysis"
36  - "Natural Language Understanding"
37id: "e7e73fad-6ce6-51f9-9b52-40eaef71f5a1"