VIP impersonation with charitable donation fraud

calendar Oct 8, 2024  ยท
Share on: linkedin copy

Fake email thread shows a VIP requesting a donation to a charity, usually addressed to Accounts Payable departments. Can result in monetary loss.

Sublime rule (View on GitHub)

 1name: "VIP impersonation with charitable donation fraud"
 2description: "Fake email thread shows a VIP requesting a donation to a charity, usually addressed to Accounts Payable departments. Can result in monetary loss."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and strings.ilike(body.current_thread.text, "*charity*", "*gala*", "*donation*", "*donor*")
 8  and any(ml.nlu_classifier(body.current_thread.text).entities,
 9          .name == "financial"
10  )
11  and any(ml.nlu_classifier(body.current_thread.text).entities,
12          .name == "request"
13  )
14  and (
15    any($org_vips, strings.icontains(body.html.inner_text, .display_name))
16    or any($org_vips, strings.icontains(body.plain.raw, .display_name))
17  )
18  and (
19    (
20      (
21        strings.istarts_with(subject.subject, "RE:")
22        or strings.istarts_with(subject.subject, "FW:")
23        or strings.istarts_with(subject.subject, "FWD:")
24      )
25      and (
26        (length(headers.references) == 0 and headers.in_reply_to is null)
27        or not any(headers.hops,
28                   any(.fields, strings.ilike(.name, "In-Reply-To"))
29        )
30      )
31    )
32    // fake thread, but no indication in the subject line
33    // current_thread pulls the recent thread, but the full body contains the fake "original" email
34    or (
35      not (
36        (
37          strings.istarts_with(subject.subject, "RE:")
38          or strings.istarts_with(subject.subject, "FWD:")
39        )
40      )
41      and 3 of (
42        strings.icontains(body.html.display_text, "from:"),
43        strings.icontains(body.html.display_text, "to:"),
44        strings.icontains(body.html.display_text, "sent:"),
45        strings.icontains(body.html.display_text, "subject:")
46      )
47      and (
48        length(body.current_thread.text) + 100 < length(body.html.display_text)
49      )
50      // negating bouncebacks
51      and not any(attachments,
52                  .content_type in ("message/delivery-status", "message/rfc822")
53      )
54    )
55  )
56  and (
57    profile.by_sender().prevalence in ("new", "rare")
58    or profile.by_sender().days_known > 30
59  )
60  and not profile.by_sender().any_false_positives  
61
62attack_types:
63  - "BEC/Fraud"
64tactics_and_techniques:
65  - "Impersonation: Employee"
66  - "Impersonation: VIP"
67  - "Social engineering"
68detection_methods:
69  - "Content analysis"
70  - "Header analysis"
71  - "Natural Language Understanding"
72  - "Sender analysis"
73id: "35a56b8e-9293-5ccf-95d3-c990152d8f48"
to-top