VIP impersonation: Fake thread with display name match, email mismatch
This rule is intended to detect fake threads that are impersonating a VIP. It looks for a matching $org_vips display name and checks the email address following it does not match what is in the $org_vips list.
Sublime rule (View on GitHub)
1name: "VIP impersonation: Fake thread with display name match, email mismatch"
2description: "This rule is intended to detect fake threads that are impersonating a VIP. It looks for a matching $org_vips display name and checks the email address following it does not match what is in the $org_vips list."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and any($org_vips,
8 strings.icontains(body.html.display_text,
9 strings.concat("From: ", .display_name, " <")
10 )
11 and not strings.icontains(body.html.display_text,
12 strings.concat("From: ",
13 .display_name,
14 " <",
15 .email,
16 ">"
17 )
18 )
19 )
20 and any([body.current_thread.text, body.html.display_text, body.plain.raw],
21 3 of (
22 strings.icontains(., "from:"),
23 strings.icontains(., "to:"),
24 strings.icontains(., "sent:"),
25 strings.icontains(., "date:"),
26 strings.icontains(., "cc:"),
27 strings.icontains(., "subject:")
28 )
29 )
30 and (length(headers.references) == 0 or headers.in_reply_to is null)
31attack_types:
32 - "BEC/Fraud"
33tactics_and_techniques:
34 - "Evasion"
35 - "Impersonation: VIP"
36 - "Social engineering"
37 - "Spoofing"
38detection_methods:
39 - "Content analysis"
40 - "Header analysis"
41 - "Sender analysis"
42 - "Whois"
43id: "11cc3e28-65db-5c7e-9436-9d0a700da971"