VIP impersonation with charitable donation fraud

calendar Nov 12, 2025  ยท
Share on: linkedin copy

Fake email thread shows a VIP requesting a donation to a charity, usually addressed to Accounts Payable departments. Can result in monetary loss.

Sublime rule (View on GitHub)

 1name: "VIP impersonation with charitable donation fraud"
 2description: "Fake email thread shows a VIP requesting a donation to a charity, usually addressed to Accounts Payable departments. Can result in monetary loss."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and strings.ilike(body.current_thread.text,
 8                    "*charity*",
 9                    "*gala*",
10                    "*donation*",
11                    "*donor*"
12  )
13  and any(ml.nlu_classifier(body.current_thread.text).entities,
14          .name == "financial"
15  )
16  and any(ml.nlu_classifier(body.current_thread.text).entities,
17          .name == "request"
18  )
19  and (
20    any($org_vips, strings.icontains(body.html.inner_text, .display_name))
21    or any($org_vips, strings.icontains(body.plain.raw, .display_name))
22  )
23  and (
24    (
25      (subject.is_forward or subject.is_reply)
26      and (
27        (length(headers.references) == 0 and headers.in_reply_to is null)
28        or not any(headers.hops,
29                   any(.fields, strings.ilike(.name, "In-Reply-To"))
30        )
31      )
32    )
33    // fake thread, but no indication in the subject line
34    // current_thread pulls the recent thread, but the full body contains the fake "original" email
35    or (
36      not ((subject.is_forward or subject.is_reply))
37      and (
38        3 of (
39          strings.icontains(body.html.display_text, "from:"),
40          strings.icontains(body.html.display_text, "to:"),
41          strings.icontains(body.html.display_text, "sent:"),
42          strings.icontains(body.html.display_text, "subject:")
43        )
44        or length(body.previous_threads) > 0
45      )
46      and (
47        length(body.current_thread.text) + 100 < length(body.html.display_text)
48      )
49      // negating bouncebacks
50      and not any(attachments,
51                  .content_type in ("message/delivery-status", "message/rfc822")
52      )
53    )
54  )
55  and (
56    profile.by_sender().prevalence in ("new", "rare")
57    or profile.by_sender().days_known > 30
58  )
59  and not profile.by_sender().any_messages_benign  
60
61attack_types:
62  - "BEC/Fraud"
63tactics_and_techniques:
64  - "Impersonation: Employee"
65  - "Impersonation: VIP"
66  - "Social engineering"
67detection_methods:
68  - "Content analysis"
69  - "Header analysis"
70  - "Natural Language Understanding"
71  - "Sender analysis"
72id: "35a56b8e-9293-5ccf-95d3-c990152d8f48"
to-top