VIP / Executive impersonation in subject (untrusted)
Sender subject contains the display name of a user in the $org_vips list, and the sender has never been seen before.
The $org_vips list must first be manually connected to a VIP group of your upstream provider (Google Workspace and Microsoft 365 only) in order for this rule to work. Once connected, the list will be automatically synced and kept up-to-date. For more information, see the $org_vips documentation: https://docs.sublimesecurity.com/docs/configure-org_vips-list
This rule is recommended to be used on a relatively small list of VIPs, and is meant to reduce attack surface by detecting any message that matches the protected list of display names from a first-time or unsolicited sender.
Additional rule logic can be added to look for suspicious subjects, suspicious links, etc.
Sublime rule (View on GitHub)
1name: "VIP / Executive impersonation in subject (untrusted)"
2description: |
3 Sender subject contains the display name of a user in the $org_vips list, and the sender has never been seen before.
4
5 The $org_vips list must first be manually connected to a VIP group of your upstream provider (Google Workspace and Microsoft 365 only) in order for this rule to work.
6 Once connected, the list will be automatically synced and kept up-to-date. For more information, see the $org_vips documentation: https://docs.sublimesecurity.com/docs/configure-org_vips-list
7
8 This rule is recommended to be used on a relatively small list of VIPs, and is meant to reduce attack surface by detecting *any* message that matches the protected list of display names from a first-time or unsolicited sender.
9
10 Additional rule logic can be added to look for suspicious subjects, suspicious links, etc.
11type: "rule"
12severity: "medium"
13source: |
14 type.inbound
15 and any($org_vips,
16 strings.contains(subject.subject, .display_name)
17 and strings.contains(.display_name, " ")
18 )
19 // not being sent to said VIP
20 and not (
21 (
22 length(recipients.to) == 1
23 and all(recipients.to,
24 any($org_vips,
25 .email == ..email.email
26 and strings.contains(subject.subject, .display_name)
27 and strings.contains(.display_name, " ")
28 )
29 )
30 )
31 )
32 and (
33 // ignore personal <> work emails
34 // where the sender and mailbox's display name are the same
35 length(recipients.to) > 0
36 or length(recipients.cc) > 0
37 or sender.display_name != mailbox.display_name
38 )
39 // bounce-back negations
40 and not strings.like(sender.email.local_part,
41 "*postmaster*",
42 "*mailer-daemon*",
43 "*administrator*"
44 )
45 and not any(attachments,
46 .content_type in (
47 "message/rfc822",
48 "message/delivery-status",
49 "text/calendar"
50 )
51 )
52 and (
53 (
54 profile.by_sender().prevalence in ("new", "outlier")
55 and not profile.by_sender().solicited
56 )
57 or (
58 profile.by_sender().any_messages_malicious_or_spam
59 and not profile.by_sender().any_messages_benign
60 )
61 )
62
63 // negate org domains unless they fail DMARC authentication
64 and (
65 (
66 sender.email.domain.root_domain in $org_domains
67 and not headers.auth_summary.dmarc.pass
68 )
69 or sender.email.domain.root_domain not in $org_domains
70 )
71
72 // negate highly trusted sender domains unless they fail DMARC authentication
73 and (
74 (
75 sender.email.domain.root_domain in $high_trust_sender_root_domains
76 and not headers.auth_summary.dmarc.pass
77 )
78 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
79 )
80
81tags:
82 - "Attack surface reduction"
83attack_types:
84 - "BEC/Fraud"
85tactics_and_techniques:
86 - "Impersonation: VIP"
87detection_methods:
88 - "Header analysis"
89 - "Sender analysis"
90id: "0a641fe5-70b9-5f4e-9c34-0d70eac11fae"