VIP / Executive impersonation in subject (untrusted)

Sender subject contains the display name of a user in the $org_vips list, and the sender has never been seen before.

The $org_vips list must first be manually connected to a VIP group of your upstream provider (Google Workspace and Microsoft 365 only) in order for this rule to work. Once connected, the list will be automatically synced and kept up-to-date. For more information, see the $org_vips documentation: https://docs.sublimesecurity.com/docs/configure-org_vips-list

This rule is recommended to be used on a relatively small list of VIPs, and is meant to reduce attack surface by detecting any message that matches the protected list of display names from a first-time or unsolicited sender.

Additional rule logic can be added to look for suspicious subjects, suspicious links, etc.

Sublime rule (View on GitHub)

 1name: "VIP / Executive impersonation in subject (untrusted)"
 2description: |
 3  Sender subject contains the display name of a user in the $org_vips list, and the sender has never been seen before.
 4  
 5  The $org_vips list must first be manually connected to a VIP group of your upstream provider (Google Workspace and Microsoft 365 only) in order for this rule to work.
 6  Once connected, the list will be automatically synced and kept up-to-date. For more information, see the $org_vips documentation: https://docs.sublimesecurity.com/docs/configure-org_vips-list
 7  
 8  This rule is recommended to be used on a relatively small list of VIPs, and is meant to reduce attack surface by detecting *any* message that matches the protected list of display names from a first-time or unsolicited sender.
 9  
10  Additional rule logic can be added to look for suspicious subjects, suspicious links, etc.  
11type: "rule"
12severity: "medium"
13source: |
14  type.inbound
15  and any($org_vips,
16          strings.contains(subject.subject, .display_name)
17          and strings.contains(.display_name, " ")
18  )
19  // not being sent to said VIP
20  and not (
21    (
22      length(recipients.to) == 1
23      and all(recipients.to,
24              any($org_vips,
25                  .email == ..email.email
26                  and strings.contains(subject.subject, .display_name)
27                  and strings.contains(.display_name, " ")
28              )
29      )
30    )
31  )
32  and (
33    // ignore personal <> work emails
34    // where the sender and mailbox's display name are the same
35    length(recipients.to) > 0
36    or length(recipients.cc) > 0
37    or sender.display_name != mailbox.display_name
38  )
39  // bounce-back negations
40  and not strings.like(sender.email.local_part,
41                       "*postmaster*",
42                       "*mailer-daemon*",
43                       "*administrator*"
44  )
45  and not any(attachments,
46              .content_type in (
47                "message/rfc822",
48                "message/delivery-status",
49                "text/calendar"
50              )
51  )
52  and (
53    (
54      profile.by_sender().prevalence in ("new", "outlier")
55      and not profile.by_sender().solicited
56    )
57    or (
58      profile.by_sender().any_messages_malicious_or_spam
59      and not profile.by_sender().any_messages_benign
60    )
61  )
62  
63  // negate org domains unless they fail DMARC authentication
64  and (
65    (
66      sender.email.domain.root_domain in $org_domains
67      and not headers.auth_summary.dmarc.pass
68    )
69    or sender.email.domain.root_domain not in $org_domains
70  )
71  
72  // negate highly trusted sender domains unless they fail DMARC authentication
73  and (
74    (
75      sender.email.domain.root_domain in $high_trust_sender_root_domains
76      and not headers.auth_summary.dmarc.pass
77    )
78    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
79  )  
80
81tags:
82  - "Attack surface reduction"
83attack_types:
84  - "BEC/Fraud"
85tactics_and_techniques:
86  - "Impersonation: VIP"
87detection_methods:
88  - "Header analysis"
89  - "Sender analysis"
90id: "0a641fe5-70b9-5f4e-9c34-0d70eac11fae"

Related rules

to-top