VIP / Executive impersonation (first-time sender, unsolicited)May 8, 2023 · VIP impersonation Executive impersonation Attack surface reduction ·
Sender display name matches the display name of a user in the $org_vips list, and the sender has never been seen before.
The $org_vips list must first be manually connected to a VIP group of your upstream provider (Google Workspace and Microsoft 365 only) in order for this rule to work. Once connected, the list will be automatically synced and kept up-to-date. For more information, see the $org_vips documentation: https://docs.sublimesecurity.com/docs/configure-org_vips-list
This rule is recommended to be used on a relatively small list of VIPs, and is meant to reduce attack surface by detecting any message that matches the protected list of display names from a first-time or unsolicited sender.
Additional rule logic can be added to look for suspicious subjects, suspicious links, etc.
VIP impersonation with urgent request (first-time sender)Feb 21, 2023 · VIP impersonation Executive impersonation Suspicious sender Machine Learning Natural Language Understanding ·
Sender is using a display name that matches the display name of someone in your $org_vips list.
Detects potential Business Email Compromise (BEC) attacks by analyzing text within email body first-time senders.