Medium Severity

Attachment: USDA Bid Invitation Impersonation

Labels

BEC/Fraud

Impersonation: Brand

Natural Language Understanding

Optical Character Recognition

Sender analysis

Description

Detects messages claiming to be from USDA containing bid invitations with macro-enabled attachments or PDFs. Validates USDA-related content through OCR and natural language analysis.

References

https://www.proofpoint.com/uk/blog/threat-insight/ta4903-actor-spoofs-us-government-small-businesses-phishing-bec-bids

Sublime Security

Created May 23rd, 2025 • Last updated May 23rd, 2025

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and length(attachments) == 1
and all(attachments,
        (.file_extension in~ $file_extensions_macros or .file_type == "pdf")
        and any(file.explode(.),
                any(ml.nlu_classifier(.scan.ocr.raw).entities,
                    strings.icontains(.text, "Agriculture")
                )
        )
)
and strings.icontains(body.current_thread.text, "bid")
and (
  strings.icontains(subject.subject, 'invitation to bid')
  or any(attachments, strings.icontains(.file_name, 'usda'))
)
and strings.icontains(sender.email.domain.domain, "usda")
and any(ml.nlu_classifier(body.current_thread.text).entities,
        .text == "usda" and .name in ("sender", "org")
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.