Xero invoice abuse

 1name: "Xero invoice abuse"
 2description: "Detects suspicious Xero invoice communications containing urgent payment requests where the sender's display name contains either confusable characters or impersonates internal services like HR or IT support."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and sender.email.domain.root_domain == "xero.com"
 8  and (
 9    // contains legitimate xero invoice links
10    any(body.links,
11        .href_url.domain.domain == "in.xero.com"
12     or .href_url.domain.root_domain == "mimecaseprotect.com" and .href_url.query_params == "domain=in.xero.com")
13    // or financial communications with invoice content and urgency
14    and (
15      any(beta.ml_topic(body.current_thread.text).topics,
16          .name == "Financial Communications" and .confidence != "low"
17      )
18      and any(ml.nlu_classifier(body.current_thread.text).tags,
19              .name == "invoice" and .confidence in ("medium", "high")
20      )
21      and any(ml.nlu_classifier(body.current_thread.text).entities,
22              .name == "urgency"
23      )
24      and any(ml.nlu_classifier(body.current_thread.text).entities,
25              .name == "request"
26      )
27    )
28  )
29  and (
30    // display name contains confusables (brand impersonation)
31    sender.display_name != strings.replace_confusables(sender.display_name)
32    // or HR/recruitment/employment/internal service impersonation
33    or regex.icontains(sender.display_name, '\bhr\b|human resources|staffing|recruiting|recruitment|employment|payroll|it support|help ?desk|admin|administrator')
34  )
35    
36
37attack_types:
38  - "BEC/Fraud"
39  - "Credential Phishing"
40tactics_and_techniques:
41  - "Impersonation: Brand"
42  - "Impersonation: Employee"
43  - "Social engineering"
44detection_methods:
45  - "Natural Language Understanding"
46  - "Content analysis"
47  - "Sender analysis"
48id: "6538c600-06a5-5a2e-ab76-8dd7f77b2fa3"