VIP impersonation: Fake thread with display name match, email mismatch

This rule is intended to detect fake threads that are impersonating a VIP. It looks for a matching $org_vips display name and checks the email address following it does not match what is in the $org_vips list.

Sublime rule (View on GitHub)

 1name: "VIP impersonation: Fake thread with display name match, email mismatch"
 2description: "This rule is intended to detect fake threads that are impersonating a VIP. It looks for a matching $org_vips display name and checks the email address following it does not match what is in the $org_vips list."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any($org_vips,
 8          strings.icontains(body.html.display_text,
 9                            strings.concat("From: ", .display_name, " <")
10          )
11          and not strings.icontains(body.html.display_text,
12                                    strings.concat("From: ",
13                                                   .display_name,
14                                                   " <",
15                                                   .email,
16                                                   ">"
17                                    )
18          )
19  )
20  and any([body.current_thread.text, body.html.display_text, body.plain.raw],
21          3 of (
22            strings.icontains(., "from:"),
23            strings.icontains(., "to:"),
24            strings.icontains(., "sent:"),
25            strings.icontains(., "date:"),
26            strings.icontains(., "cc:"),
27            strings.icontains(., "subject:")
28          )
29  )
30  and (length(headers.references) == 0 or headers.in_reply_to is null)
31  and (
32    network.whois(sender.email.domain).days_old < 90
33    or profile.by_sender().days_known == 0
34  )
35  and not profile.by_sender().solicited  
36attack_types:
37  - "BEC/Fraud"
38tactics_and_techniques:
39  - "Evasion"
40  - "Impersonation: VIP"
41  - "Social engineering"
42  - "Spoofing"
43detection_methods:
44  - "Content analysis"
45  - "Header analysis"
46  - "Sender analysis"
47  - "Whois"
48id: "11cc3e28-65db-5c7e-9436-9d0a700da971"
to-top