• Sublime Core Feed
High Severity

Attachment: RFP/RFQ impersonating government entities

Labels

BEC/Fraud
Impersonation: Brand
PDF
Social engineering
Content analysis
File analysis
Natural Language Understanding
Optical Character Recognition
Sender analysis

Description

Attached RFP/RFQ impersonates a U.S. government department or entity to commit fraudulent transactions.

References

No references.

Sublime Security
Created Jan 30th, 2024 • Last updated Jan 30th, 2024
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and length(attachments) == 1
and all(attachments,
        .file_extension in~ $file_extensions_macros or .file_type == "pdf"
)
and regex.icontains(body.current_thread.text, "department of|office of")
and (
  regex.icontains(subject.subject,
                  '(request for (purchase|quot(e|ation))|\bRFQ\b|\bRFP\b)'
  )
  or any(attachments,
         regex.icontains(.file_name,
                         '(request for (purchase|quot(e|ation))|\bRFQ\b|\bRFP\b)'
         )
  )
)
and strings.icontains(sender.email.domain.domain, "gov")
and (
  any(ml.nlu_classifier(body.current_thread.text).tags,
      .name == "purchase_order"
  )
  and any(attachments,
          any(file.explode(.),
              any(ml.nlu_classifier(.scan.ocr.raw).entities,
                  regex.icontains(.text, "department of|office of")
              )
          )
  )
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started