VIP impersonation: Invoice fraud with mobile device sign-off
Detects inbound messages where a prior thread contains a reply from a known VIP - identifiable by display name or email address and signed off with a 'Sent from my iPhone' or 'Sent from my iPad' footer. However that VIP has been silently dropped from the current message's recipients. This pattern is consistent with fraudulent invoice and payment request lures where an attacker impersonates an internal executive in a thread, then removes them before requesting payment action from the remaining recipients.
Sublime rule (View on GitHub)
1name: "VIP impersonation: Invoice fraud with mobile device sign-off"
2description: "Detects inbound messages where a prior thread contains a reply from a known VIP - identifiable by display name or email address and signed off with a 'Sent from my iPhone' or 'Sent from my iPad' footer. However that VIP has been silently dropped from the current message's recipients. This pattern is consistent with fraudulent invoice and payment request lures where an attacker impersonates an internal executive in a thread, then removes them before requesting payment action from the remaining recipients."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and any(map(filter(body.previous_threads,
8 any($org_vips,
9 strings.icontains(..sender.display_name, .display_name)
10 or (
11 .email != ""
12 and strings.icontains(..sender.email.email, .email)
13 )
14 )
15 and (
16 strings.iends_with(.text, "sent from my iphone.")
17 or strings.iends_with(.text, "sent from my ipad.")
18 )
19 and (
20 any(ml.nlu_classifier(.text, subject=.subject.base).topics,
21 (
22 .name == "Financial Communications"
23 or .name == "Request to View Invoice"
24 )
25 and .confidence != "low"
26 )
27 or any(ml.nlu_classifier(.text, subject=.subject.base).tags,
28 (.name == "invoice" or .name == "payment")
29 and .confidence != "low"
30 )
31 )
32 ),
33 .sender.email.email
34 ),
35 . == ""
36 or (
37 not strings.icontains(sender.email.email, .)
38 and not any(flatten([recipients.to, recipients.cc, recipients.bcc]),
39 strings.icontains(.email.email, ..)
40 )
41 )
42 )
43attack_types:
44 - "BEC/Fraud"
45tactics_and_techniques:
46 - "Impersonation: VIP"
47 - "Social engineering"
48detection_methods:
49 - "Content analysis"
50 - "Sender analysis"
51id: "7b3b9dcb-adcf-5335-813b-51f1a42cb4d6"