High Severity
BEC: Employee impersonation with subject manipulation
Description
Subject matches the display name of someone in your organization, and the body resembles a BEC attack.
References
No references.
Sublime Security
Created Aug 17th, 2023 • Last updated Jan 22nd, 2024
Feed Source
Sublime Core Feed
Source
type.inbound
// attacks have been observed where the impersonation is
// in the subject, and the display name contains what a
// subject typically would contain. this is an attempt to
// bypass impersonation detections
and subject.subject in~ $org_display_names
and any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "bec" and .confidence in ("medium", "high")
)
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_false_positives
)
)
Playground
Test against your own EMLs or sample data.