VIP / Executive impersonation (first-time sender, unsolicited)

calendar Aug 21, 2023 · Attack surface reduction  ·
Share on: linkedin copy

Sender display name matches the display name of a user in the $org_vips list, and the sender has never been seen before.

The $org_vips list must first be manually connected to a VIP group of your upstream provider (Google Workspace and Microsoft 365 only) in order for this rule to work. Once connected, the list will be automatically synced and kept up-to-date. For more information, see the $org_vips documentation: https://docs.sublimesecurity.com/docs/configure-org_vips-list

This rule is recommended to be used on a relatively small list of VIPs, and is meant to reduce attack surface by detecting any message that matches the protected list of display names from a first-time or unsolicited sender.

Additional rule logic can be added to look for suspicious subjects, suspicious links, etc.

Sublime rule (View on GitHub)

 1name: "VIP / Executive impersonation (first-time sender, unsolicited)"
 2description: |
 3  Sender display name matches the display name of a user in the $org_vips list, and the sender has never been seen before.
 4
 5  The $org_vips list must first be manually connected to a VIP group of your upstream provider (Google Workspace and Microsoft 365 only) in order for this rule to work.
 6  Once connected, the list will be automatically synced and kept up-to-date. For more information, see the $org_vips documentation: https://docs.sublimesecurity.com/docs/configure-org_vips-list
 7
 8  This rule is recommended to be used on a relatively small list of VIPs, and is meant to reduce attack surface by detecting *any* message that matches the protected list of display names from a first-time or unsolicited sender.
 9
10  Additional rule logic can be added to look for suspicious subjects, suspicious links, etc.  
11type: "rule"
12severity: "high"
13source: |
14  type.inbound
15  and any($org_vips, .display_name == sender.display_name)
16  and (
17    // ignore personal <> work emails
18    // where the sender and mailbox's display name are the same
19    length(recipients.to) > 1
20    or length(recipients.cc) > 1
21    or sender.display_name != mailbox.display_name
22  )
23
24  // first-time sender
25  and (
26    (
27      sender.email.domain.root_domain in $free_email_providers
28      and sender.email.email not in $sender_emails
29    )
30    or (
31      sender.email.domain.root_domain not in $free_email_providers
32      and sender.email.domain.domain not in $sender_domains
33    )
34  )
35
36  // unsolicited
37  and (
38    (
39      sender.email.domain.root_domain in $free_email_providers
40      and sender.email.email not in $recipient_emails
41    )
42    or (
43      sender.email.domain.root_domain not in $free_email_providers
44      and sender.email.domain.domain not in $recipient_domains
45    )
46  )  
47tags:
48  - "Attack surface reduction"
49attack_types:
50  - "BEC/Fraud"
51tactics_and_techniques:
52  - "Impersonation: VIP"
53detection_methods:
54  - "Header analysis"
55  - "Sender analysis"
56id: "e42c84b7-9d50-5870-9a5d-311670a14bc1"

Related rules

to-top