High Severity

Brand impersonation: Internal Revenue Service

Labels

BEC/Fraud

Credential Phishing

Impersonation: Brand

Social engineering

Content analysis

Natural Language Understanding

Optical Character Recognition

Sender analysis

Description

Detects messages from senders posing as the Internal Revenue Service by checking display name similarity and content indicators from body text and screenshots. Excludes legitimate IRS domains and authenticated senders.

References

No references.

Sublime Security

Created Apr 7th, 2025 • Last updated Oct 17th, 2025

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and (
  // display name contains IRS
  (
    strings.ilike(strings.replace_confusables(sender.display_name),
                  '*internal revenue service*'
    )
    or strings.like(strings.replace_confusables(sender.display_name), 'IRS*')
  )
  // levenshtein distance similar to IRS
  or strings.ilevenshtein(strings.replace_confusables(sender.display_name),
                          'internal revenue service'
  ) <= 1
  or (
    strings.like(strings.replace_confusables(subject.base), '*IRS*')
    and any(ml.nlu_classifier(body.current_thread.text).topics,
            .name == "Government Services" and .confidence != "low"
    )
  )
)
and (
  (
    any(ml.nlu_classifier(body.current_thread.text).topics,
        .name in ("Security and Authentication", "Financial Communications")
        and .confidence == "high"
    )
    and not any(ml.nlu_classifier(body.current_thread.text).topics,
                .name in (
                  "Advertising and Promotions",
                  "Newsletters and Digests",
                  "Political Mail",
                  "Events and Webinars"
                )
                and .confidence != "low"
    )
  )
  or (
    // OCR length is more than 2x the current_thread length
    // indicating that the body is mostly an image
    (
      (length(beta.ocr(file.message_screenshot()).text) + 0.0) / (
        length(body.current_thread.text) + 0.0
      )
    ) > 2
    and length(body.previous_threads) == 0
    and any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).topics,
            .name in ("Security and Authentication", "Financial Communications")
            and .confidence == "high"
    )
    and not any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).topics,
                .name in (
                  "Advertising and Promotions",
                  "Newsletters and Digests",
                  "Political Mail",
                  "Events and Webinars"
                )
                and .confidence != "low"
    )
  )
  or any(ml.nlu_classifier(body.current_thread.text).intents,
         .name == "cred_theft" and .confidence == "high"
  )
  or any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).intents,
         .name == "cred_theft" and .confidence == "high"
  )
)

and not (
  (
    length(body.current_thread.text) > 2500
    or any(headers.hops,
           any(.fields,
               .name == 'List-Unsubscribe-Post'
               and .value == 'List-Unsubscribe=One-Click'
           )
    )
  )
  and any(ml.nlu_classifier(body.current_thread.text).intents,
          .name == "benign" and .confidence == "high"
  )
)

// and the sender is not in org_domains or from .gov domains and passes auth
and not (
  sender.email.domain.root_domain in $org_domains
  or (
    (
      sender.email.domain.root_domain in ("govdelivery.com", "ms-cpa.org")
      or sender.email.domain.tld == "gov"
    )
    and headers.auth_summary.dmarc.pass
  )
)
// and the sender is not from high trust sender root domains
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.