High Severity
Benefits Enrollment Impersonation
Description
Detects messages about benefit enrollment periods and healthcare selections from external senders that contain urgent language or requests for action. Excludes legitimate HR communications, marketing mailers, and trusted sender domains with valid authentication.
References
No references.
Sublime Security
Created Jan 30th, 2025 • Last updated Jan 30th, 2025
Feed Source
Sublime Core Feed
Source
type.inbound
and sender.email.domain.domain not in $org_domains
and (
length(body.current_thread.text) < 2500 or body.current_thread.text is null
)
and (
regex.icontains(subject.subject,
'(open|benefits?) enrol{1,2}ment', // catches both enrolment and enrollment
'benefit(s)? (plan|choice|selection|deadline|period)',
'hr benefits',
'annual enrol{1,2}ment',
'healthcare (choice|selection|opt.?in)',
'(fsa|hsa|401k) (enrol{1,2}ment|selection)',
'dependent (coverage|verification)',
'(health|dental|vision|insurance|medical) enrol{1,2}ment'
)
or regex.icontains(body.current_thread.text,
'benefit(s)? (plan|choice|selection|deadline|period)',
'hr benefits',
'annual enrol{1,2}ment',
'healthcare (choice|selection|opt.?in)',
'(fsa|hsa|401k) (enrol{1,2}ment|selection)',
'dependent (coverage|verification)',
'(health|dental|vision|insurance|medical) enrol{1,2}ment',
'(urgent|immediate) action required.{0,20}(benefit|enrol{1,2}ment)',
'coverage.{0,20}(expire|terminate)',
'last (day|chance).{0,20}(enrol{1,2}|select)',
'(login|sign.?in).{0,20}(benefit portal|hr portal)',
'(verify|update|confirm).{0,20}(benefit.{0,20}selection)'
)
or any(attachments,
regex.icontains(.file_name,
'fileDoc-Review',
'(open|benefits?) enrol{1,2}ment',
'annual enrol{1,2}ment',
'(fsa|hsa|401k) (enrol{1,2}ment|selection)',
'(urgent|immediate) action required.{0,20}(benefit|enrol{1,2}ment)',
)
)
)
and 2 of (
any(ml.nlu_classifier(body.current_thread.text).entities,
.name in ("urgency", "request")
),
any(ml.nlu_classifier(body.current_thread.text).intents, .name != "benign"),
(
(length(body.current_thread.text) < 250 and length(attachments) == 1)
or (body.current_thread.text is null and length(attachments) == 1)
),
// lure in attachment
(
any(attachments,
(
.file_type in $file_types_images
or .file_type in ("pdf", "docx", "doc")
or .file_extension in $file_extensions_macros
)
and any(filter(file.explode(.), .scan.ocr.raw is not null),
(
any(ml.nlu_classifier(.scan.ocr.raw).intents,
.name != "benign"
)
and any(ml.nlu_classifier(.scan.ocr.raw).entities,
.name in ("urgency", "request")
)
)
)
)
)
)
// negate replies
and (
length(headers.references) == 0
or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
)
// Negate common marketing mailers
and not regex.icontains(sender.display_name,
'HR (?:Events|Expert|Support Center|Studies|Knowledge Cloud|News Library|Crowd|Solutions|Interests)|HR and People Operations'
)
and not (
// Constant Contact
any(headers.hops,
strings.icontains(.authentication_results.spf_details.designator,
"constantcontact.com"
)
)
or any(headers.hops,
strings.icontains(.received_spf.designator, "constantcontact.com")
)
or (
(
any(headers.hops,
.index == 0
and any(.authentication_results.dkim_details,
.domain == "auth.ccsend.com"
)
)
)
and headers.auth_summary.dmarc.pass
)
or any(headers.references, strings.iends_with(., "ccsend.com"))
// Hubspot
or any(headers.hops,
strings.icontains(.authentication_results.spf_details.designator,
"hubspotemail.net"
)
)
)
and sender.email.domain.root_domain not in~ (
'medicare.gov',
'farmers.com',
'uhc.com',
'blueshieldca.com',
'corestream.com'
)
and (
profile.by_sender().prevalence in ("new", "outlier")
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_false_positives
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
Playground
Test against your own EMLs or sample data.