VIP impersonation: Fake thread with display name match, email mismatch
This rule is intended to detect fake threads that are impersonating a VIP. It looks for a matching $org_vips display name and checks the email address following it does not match what is in the $org_vips list.
Sublime rule (View on GitHub)
1name: "VIP impersonation: Fake thread with display name match, email mismatch"
2description: "This rule is intended to detect fake threads that are impersonating a VIP. It looks for a matching $org_vips display name and checks the email address following it does not match what is in the $org_vips list."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and any($org_vips,
8 strings.icontains(body.html.display_text,
9 strings.concat("From: ", .display_name, " <")
10 )
11 and not strings.icontains(body.html.display_text,
12 strings.concat("From: ",
13 .display_name, " <",
14 .email, ">"
15 )
16 )
17 )
18 and any([body.current_thread.text, body.html.display_text, body.plain.raw],
19 3 of (
20 strings.icontains(., "from:"),
21 strings.icontains(., "to:"),
22 strings.icontains(., "sent:"),
23 strings.icontains(., "date:"),
24 strings.icontains(., "cc:"),
25 strings.icontains(., "subject:")
26 )
27 )
28 and (
29 length(headers.references) == 0
30 or headers.in_reply_to is null
31 )
32 and (
33 network.whois(sender.email.domain).days_old < 90
34 or profile.by_sender().days_known == 0
35 )
36 and not profile.by_sender().solicited
37attack_types:
38 - "BEC/Fraud"
39tactics_and_techniques:
40 - "Evasion"
41 - "Impersonation: VIP"
42 - "Social engineering"
43 - "Spoofing"
44detection_methods:
45 - "Content analysis"
46 - "Header analysis"
47 - "Sender analysis"
48 - "Whois"
49id: "11cc3e28-65db-5c7e-9436-9d0a700da971"