VIP impersonation: Fabricated thread history with fake VIP recipients

Detects inbound messages that contain forged prior thread histories where the fake headers use abnormal spacing around colons - a hallmark of programmatically generated preambles. The fabricated threads reference VIP recipients from the organization who are absent from the live message's actual recipients, suggesting the thread was constructed to manufacture legitimacy. Observed messages impersonate finance or accounts payable workflows, referencing overdue invoices, balance statements, and payment requests targeting real vendors and internal stakeholders.

Sublime rule (View on GitHub)

 1name: "VIP impersonation: Fabricated thread history with fake VIP recipients"
 2description: "Detects inbound messages that contain forged prior thread histories where the fake headers use abnormal spacing around colons - a hallmark of programmatically generated preambles. The fabricated threads reference VIP recipients from the organization who are absent from the live message's actual recipients, suggesting the thread was constructed to manufacture legitimacy. Observed messages impersonate finance or accounts payable workflows, referencing overdue invoices, balance statements, and payment requests targeting real vendors and internal stakeholders."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and any(filter(body.previous_threads,
 8                 // single recipient in the previous thread
 9                 length(.recipients.to) == 1
10                 and length(.recipients.cc) == 0
11                 // contains spaces around the colons of the "headers"
12                 and strings.count(.preamble, ' : ') >= 2
13                 and regex.icount(.preamble, '(?m)^\s*[a-z]+ +: +\S') == regex.icount(.preamble,
14                                                                                      '(?m)^.'
15                 )
16          ),
17          // the previous thread with the goofy spaces
18          // includes a VIP as a recipient
19          any(map(filter(.recipients.to,
20                         // via email
21                         .email.email != ""
22                         and any($org_vips,
23                                 strings.icontains(..email.email, .email)
24                                 or strings.icontains(..display_name,
25                                                      .display_name
26                                 )
27                         )
28                  ),
29                  .email.email
30              ),
31              // email is not in the "live" messages
32              not strings.icontains(sender.email.email, .)
33              and not any(recipients.to, strings.icontains(.email.email, ..))
34              and not any(recipients.cc, strings.icontains(.email.email, ..))
35          )
36          or any(map(filter(.recipients.to,
37                            // via display_name
38                            .email.email == ""
39                            and any($org_vips,
40                                    strings.icontains(..display_name,
41                                                      .display_name
42                                    )
43                            )
44                     ),
45                     .display_name
46                 ),
47                 // display name is not in the "live" messages
48                 not any(recipients.to, .display_name == ..)
49                 and not any(recipients.cc, .display_name == ..)
50                 and sender.display_name != .
51          )
52  )  
53attack_types:
54  - "BEC/Fraud"
55tactics_and_techniques:
56  - "Impersonation: VIP"
57  - "Social engineering"
58  - "Evasion"
59  - "Spoofing"
60detection_methods:
61  - "Content analysis"
62  - "Header analysis"
63  - "Sender analysis"
64id: "b566ef3c-f5c0-5937-a73a-f33b98e02275"
to-top