VIP impersonation: VIP name within a delimited subject with fake previous threads

Detects inbound messages where a known VIP's display name appears in the subject line surrounded by quotation marks or forward-slash delimiters (e.g., /Name/, Name (in quotes), -//Name), and where prior thread history confirms the VIP either authored a previous message or is being actively impersonated by a mismatched sender. Observed lures include fabricated invoices, leadership recognition offers, and forwarded billing threads referencing real executives by name and company. The pattern spans multiple sender domains and spoofed invoice references, all anchored to VIP identity signals extracted from thread context.

Sublime rule (View on GitHub)

 1name: "VIP impersonation: VIP name within a delimited subject with fake previous threads"
 2description: "Detects inbound messages where a known VIP's display name appears in the subject line surrounded by quotation marks or forward-slash delimiters (e.g., /Name/, Name (in quotes), -//Name), and where prior thread history confirms the VIP either authored a previous message or is being actively impersonated by a mismatched sender. Observed lures include fabricated invoices, leadership recognition offers, and forwarded billing threads referencing real executives by name and company. The pattern spans multiple sender domains and spoofed invoice references, all anchored to VIP identity signals extracted from thread context."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and length(coalesce(body.plain.raw, body.html.display_text)) < 6000
 8  and strings.icontains(strings.replace_confusables(subject.base),
 9                        '"',
10                        '/-/',
11                        '-//',
12                        '-/',
13                        '-#'
14  )
15  and any(body.previous_threads,
16          any($org_vips,
17              (
18                strings.icontains(strings.replace_confusables(subject.base),
19                                  strings.concat('"', .display_name)
20                )
21                or strings.icontains(strings.replace_confusables(subject.base),
22                                     strings.concat(.display_name, '"')
23                )
24                or strings.icontains(strings.replace_confusables(subject.base),
25                                     strings.concat('/-/', .display_name)
26                )
27                or strings.icontains(strings.replace_confusables(subject.base),
28                                     strings.concat('-//', .display_name)
29                )
30                or strings.icontains(strings.replace_confusables(subject.base),
31                                     strings.concat('-/', .display_name)
32                )
33                or strings.icontains(strings.replace_confusables(subject.base),
34                                     strings.concat('-#', .display_name)
35                )
36              )
37              and (
38                strings.icontains(..sender.display_name, .display_name)
39                or (
40                  .email != "" and strings.icontains(..sender.email.email, .email)
41                )
42                or (
43                  strings.icontains(sender.display_name, .display_name)
44                  and sender.email.email != .email
45                )
46              )
47          )
48  )
49  and any(ml.nlu_classifier(body.current_thread.text).topics,
50          .name in (
51            "Financial Communications",
52            "Request to View Invoice",
53            "Payment Information"
54          )
55          and .confidence != "low"
56  )  
57attack_types:
58  - "BEC/Fraud"
59tactics_and_techniques:
60  - "Impersonation: VIP"
61  - "Social engineering"
62  - "Spoofing"
63detection_methods:
64  - "Content analysis"
65  - "Sender analysis"
66  - "Header analysis"
67id: "e1ebf4ff-69c3-5188-9999-195cb218933f"
to-top