VIP impersonation: Fake thread with display name match, email mismatch

This rule is intended to detect fake threads that are impersonating a VIP. It looks for a matching $org_vips display name and checks the email address following it does not match what is in the $org_vips list.

Sublime rule (View on GitHub)

 1name: "VIP impersonation: Fake thread with display name match, email mismatch"
 2description: "This rule is intended to detect fake threads that are impersonating a VIP. It looks for a matching $org_vips display name and checks the email address following it does not match what is in the $org_vips list."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any($org_vips,
 8          strings.icontains(body.html.display_text,
 9                            strings.concat("From: ", .display_name, " <")
10          )
11          and not strings.icontains(body.html.display_text,
12                                strings.concat("From: ",
13                                               .display_name, " <",
14                                               .email, ">"
15                                )
16          )
17  )
18  and 3 of (
19    strings.icontains(body.html.display_text, "from:"),
20    strings.icontains(body.html.display_text, "to:"),
21    strings.icontains(body.html.display_text, "sent:"),
22    strings.icontains(body.html.display_text, "subject:")
23  )
24  and (
25    length(headers.references) == 0
26    and not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
27  )
28  and (
29    network.whois(sender.email.domain).days_old < 90
30    or profile.by_sender().days_known == 0
31  )
32  and not profile.by_sender().solicited  
33
34attack_types:
35  - "BEC/Fraud"
36tactics_and_techniques:
37  - "Evasion"
38  - "Impersonation: VIP"
39  - "Social engineering"
40  - "Spoofing"
41detection_methods:
42  - "Content analysis"
43  - "Header analysis"
44  - "Sender analysis"
45  - "Whois"
46id: "11cc3e28-65db-5c7e-9436-9d0a700da971"
to-top