VIP impersonation: VIP recipient of previous thread with HTML generator
Detects inbound messages that impersonate invoice communications impersonating organizational VIPs, where the message appears in a thread previously involving VIP recipients. The rule identifies a specific template technique where the HTML body contains markers associated with 'Advanced HTML parser' tooling or a suspicious '
Sublime rule (View on GitHub)
1name: "VIP impersonation: VIP recipient of previous thread with HTML generator"
2description: "Detects inbound messages that impersonate invoice communications impersonating organizational VIPs, where the message appears in a thread previously involving VIP recipients. The rule identifies a specific template technique where the HTML body contains markers associated with 'Advanced HTML parser' tooling or a suspicious '<title>HTML Message</title>' tag. Both are artifacts commonly left by tools used to craft or obfuscate invoice lure content. Observed samples spoof leadership-recognition invoice themes naming specific executives as the invoiced party."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and any(body.previous_threads,
8 any(.recipients.to,
9 any($org_vips,
10 strings.icontains(..display_name, .display_name)
11 or strings.icontains(..email.email, .email)
12 )
13 )
14 )
15 and (
16 strings.icontains(body.html.raw, 'Advanced HTML parser')
17 or regex.icontains(body.html.raw, '<title>\s*HTML Message\s*</title>')
18 )
19attack_types:
20 - "BEC/Fraud"
21tactics_and_techniques:
22 - "Impersonation: VIP"
23 - "Social engineering"
24 - "Evasion"
25detection_methods:
26 - "HTML analysis"
27 - "Content analysis"
28 - "Sender analysis"
29id: "77839c4f-2c61-5360-ade4-a32a211340e0"