VIP / Executive impersonation (strict match, untrusted)

 1name: "VIP / Executive impersonation (strict match, untrusted)"
 2description: |
 3  Sender display name matches the display name of a user in the $org_vips list, and the sender has never been seen before.
 4
 5  The $org_vips list must first be manually connected to a VIP group of your upstream provider (Google Workspace and Microsoft 365 only) in order for this rule to work.
 6  Once connected, the list will be automatically synced and kept up-to-date. For more information, see the $org_vips documentation: https://docs.sublimesecurity.com/docs/configure-org_vips-list
 7
 8  This rule is recommended to be used on a relatively small list of VIPs, and is meant to reduce attack surface by detecting *any* message that matches the protected list of display names from a first-time or unsolicited sender.
 9
10  Additional rule logic can be added to look for suspicious subjects, suspicious links, etc.  
11type: "rule"
12severity: "high"
13source: |
14  type.inbound
15  and (
16    // the display name matches a name on the orgs vip list
17    any($org_vips, .display_name =~ sender.display_name)
18    // or the display name starts with the name on the orgs vip list
19    or (
20      any($org_vips,
21          strings.istarts_with(sender.display_name, .display_name)
22          // and it is longer than just their name (eg. John Doe CEO)
23          and length(sender.display_name) > length(.display_name)
24      )
25      // and we have confidence it's BEC
26      and any(ml.nlu_classifier(body.current_thread.text).intents,
27              .name == "bec" and .confidence == "high"
28      )
29    )
30  )
31  and (
32    // ignore personal <> work emails
33    // where the sender and mailbox's display name are the same
34    length(recipients.to) > 0
35    or length(recipients.cc) > 0
36    or sender.display_name != mailbox.display_name
37  )
38  // bounce-back negations
39  and not strings.like(sender.email.local_part,
40                       "*postmaster*",
41                       "*mailer-daemon*",
42                       "*administrator*"
43  )
44  and not any(attachments,
45              .content_type in (
46                "message/rfc822",
47                "message/delivery-status",
48                "text/calendar"
49              )
50  )
51  and (
52    (
53      profile.by_sender_email().prevalence in ("new", "outlier")
54      and not profile.by_sender_email().solicited
55    )
56    or (
57      profile.by_sender_email().any_messages_malicious_or_spam
58      and not profile.by_sender_email().any_messages_benign
59    )
60    // mismatched reply-to with unsoliticed reply-to address
61    or (
62      length(headers.reply_to) > 0
63      and (sender.email.email not in map(headers.reply_to, .email.email))
64      // negate reply-to addresses that are within the org domain
65      and not all(headers.reply_to,
66                  .email.domain.domain in $org_domains
67                  or .email.domain.root_domain in $org_domains
68      )
69      //
70      // This rule makes use of a beta feature and is subject to change without notice
71      // using the beta feature in custom rules is not suggested until it has been formally released
72      //
73      and not beta.profile.by_reply_to().solicited
74      and beta.profile.by_reply_to().prevalence != "common"
75    )
76  )
77  and (
78    (
79      sender.email.domain.root_domain in $org_domains
80      and not headers.auth_summary.dmarc.pass
81    )
82    or sender.email.domain.root_domain not in $org_domains
83  )
84  and not profile.by_sender_email().any_messages_benign  
85tags:
86  - "Attack surface reduction"
87attack_types:
88  - "BEC/Fraud"
89tactics_and_techniques:
90  - "Impersonation: VIP"
91detection_methods:
92  - "Header analysis"
93  - "Sender analysis"
94id: "e42c84b7-9d50-5870-9a5d-311670a14bc1"