VIP / Executive impersonation (strict match, untrusted)
Sender display name matches the display name of a user in the $org_vips list, and the sender has never been seen before.
The $org_vips list must first be manually connected to a VIP group of your upstream provider (Google Workspace and Microsoft 365 only) in order for this rule to work. Once connected, the list will be automatically synced and kept up-to-date. For more information, see the $org_vips documentation: https://docs.sublimesecurity.com/docs/configure-org_vips-list
This rule is recommended to be used on a relatively small list of VIPs, and is meant to reduce attack surface by detecting any message that matches the protected list of display names from a first-time or unsolicited sender.
Additional rule logic can be added to look for suspicious subjects, suspicious links, etc.
Sublime rule (View on GitHub)
1name: "VIP / Executive impersonation (strict match, untrusted)"
2description: |
3 Sender display name matches the display name of a user in the $org_vips list, and the sender has never been seen before.
4
5 The $org_vips list must first be manually connected to a VIP group of your upstream provider (Google Workspace and Microsoft 365 only) in order for this rule to work.
6 Once connected, the list will be automatically synced and kept up-to-date. For more information, see the $org_vips documentation: https://docs.sublimesecurity.com/docs/configure-org_vips-list
7
8 This rule is recommended to be used on a relatively small list of VIPs, and is meant to reduce attack surface by detecting *any* message that matches the protected list of display names from a first-time or unsolicited sender.
9
10 Additional rule logic can be added to look for suspicious subjects, suspicious links, etc.
11type: "rule"
12severity: "high"
13source: |
14 type.inbound
15 and (
16 // the display name matches a name on the orgs vip list
17 any($org_vips, .display_name =~ sender.display_name)
18 // or the display name starts with the name on the orgs vip list
19 or (
20 any($org_vips,
21 strings.istarts_with(sender.display_name, .display_name)
22 // and it is longer than just their name (eg. John Doe CEO)
23 and length(sender.display_name) > length(.display_name)
24 )
25 // and we have confidence it's BEC
26 and any(ml.nlu_classifier(body.current_thread.text).intents,
27 .name == "bec" and .confidence == "high"
28 )
29 )
30 )
31 and (
32 // ignore personal <> work emails
33 // where the sender and mailbox's display name are the same
34 length(recipients.to) > 0
35 or length(recipients.cc) > 0
36 or sender.display_name != mailbox.display_name
37 )
38 // bounce-back negations
39 and not strings.like(sender.email.local_part,
40 "*postmaster*",
41 "*mailer-daemon*",
42 "*administrator*"
43 )
44 and not any(attachments,
45 .content_type in (
46 "message/rfc822",
47 "message/delivery-status",
48 "text/calendar"
49 )
50 )
51 and (
52 (
53 profile.by_sender().prevalence in ("new", "outlier")
54 and not profile.by_sender().solicited
55 )
56 or (
57 profile.by_sender().any_messages_malicious_or_spam
58 and not profile.by_sender().any_messages_benign
59 )
60 )
61 and (
62 (
63 sender.email.domain.root_domain in $org_domains
64 and not headers.auth_summary.dmarc.pass
65 )
66 or sender.email.domain.root_domain not in $org_domains
67 )
68 and not profile.by_sender().any_messages_benign
69
70tags:
71 - "Attack surface reduction"
72attack_types:
73 - "BEC/Fraud"
74tactics_and_techniques:
75 - "Impersonation: VIP"
76detection_methods:
77 - "Header analysis"
78 - "Sender analysis"
79id: "e42c84b7-9d50-5870-9a5d-311670a14bc1"