VIP / Executive impersonation (untrusted)

calendar Apr 30, 2024  ·
Share on: linkedin copy

Sender display name or subject matches the display name of a user in the $org_vips list, and the sender has never been seen before.

The $org_vips list must first be manually connected to a VIP group of your upstream provider (Google Workspace and Microsoft 365 only) in order for this rule to work. Once connected, the list will be automatically synced and kept up-to-date. For more information, see the $org_vips documentation: https://docs.sublimesecurity.com/docs/configure-org_vips-list

This rule is recommended to be used on a relatively small list of VIPs, and is meant to reduce attack surface by detecting any message that matches the protected list of display names from a first-time or unsolicited sender.

Additional rule logic can be added to look for suspicious subjects, suspicious links, etc.

Sublime rule (View on GitHub)

 1name: "VIP / Executive impersonation (untrusted)"
 2description: |
 3  Sender display name or subject matches the display name of a user in the $org_vips list, and the sender has never been seen before.
 4
 5  The $org_vips list must first be manually connected to a VIP group of your upstream provider (Google Workspace and Microsoft 365 only) in order for this rule to work.
 6  Once connected, the list will be automatically synced and kept up-to-date. For more information, see the $org_vips documentation: https://docs.sublimesecurity.com/docs/configure-org_vips-list
 7
 8  This rule is recommended to be used on a relatively small list of VIPs, and is meant to reduce attack surface by detecting *any* message that matches the protected list of display names from a first-time or unsolicited sender.
 9
10  Additional rule logic can be added to look for suspicious subjects, suspicious links, etc.  
11type: "rule"
12severity: "high"
13source: |
14  type.inbound
15  and (
16    any($org_vips, .display_name =~ sender.display_name)
17    or any($org_vips, strings.contains(subject.subject, .display_name))
18  )
19  and (
20    // ignore personal <> work emails
21    // where the sender and mailbox's display name are the same
22    length(recipients.to) > 0
23    or length(recipients.cc) > 0
24    or sender.display_name != mailbox.display_name
25  )
26  // bounce-back negations
27  and not strings.like(sender.email.local_part, "*postmaster*", "*mailer-daemon*", "*administrator*")
28  and not any(attachments,
29              .content_type in (
30                "message/rfc822",
31                "message/delivery-status",
32                "text/calendar"
33              )
34  )
35  and (
36    (
37      profile.by_sender().prevalence in ("new", "outlier")
38      and not profile.by_sender().solicited
39    )
40    or (
41      profile.by_sender().any_messages_malicious_or_spam
42      and not profile.by_sender().any_false_positives
43    )
44  )
45  and (
46    (
47      sender.email.domain.root_domain in $org_domains
48      and not headers.auth_summary.dmarc.pass
49    )
50    or sender.email.domain.root_domain not in $org_domains
51  )
52  and not profile.by_sender().any_false_positives  
53
54attack_types:
55  - "BEC/Fraud"
56tactics_and_techniques:
57  - "Impersonation: VIP"
58detection_methods:
59  - "Header analysis"
60  - "Sender analysis"
61id: "e42c84b7-9d50-5870-9a5d-311670a14bc1"
to-top