Description

Detects messages from senders posing as the Internal Revenue Service by checking display name similarity and content indicators from body text and screenshots. Excludes legitimate IRS domains and authenticated senders.

References

No references.

Sublime Security
Created Apr 7th, 2025 • Last updated Jul 14th, 2026
Source
type.inbound
and (
  // display name contains IRS
  (
    strings.ilike(strings.replace_confusables(sender.display_name),
                  '*internal revenue service*'
    )
    or strings.like(strings.replace_confusables(sender.display_name), 'IRS*')
    or regex.icontains(strings.replace_confusables(sender.display_name),
                       'internal.{0,5}revenue.{0,5}service'
    )
  )

  // levenshtein distance similar to IRS
  or strings.ilevenshtein(strings.replace_confusables(sender.display_name),
                          'internal revenue service'
  ) <= 1
  or (
    strings.like(strings.replace_confusables(subject.base), '*IRS*')
    and any(ml.nlu_classifier(body.current_thread.text).topics,
            .name == "Government Services" and .confidence != "low"
    )
  )
  or 2 of (
    strings.icontains(body.current_thread.text, "Internal Revenue Service"),
    strings.icontains(body.current_thread.text, "4228 Park Ave S"),
    strings.icontains(body.current_thread.text, "1111 Constitution Ave"),
    strings.icontains(body.current_thread.text, "New York, New York 10003"),
    strings.icontains(body.current_thread.text, "Washington, DC 20224")
  )
  or regex.icontains(body.current_thread.text,
                     '©\s*20[0-9]{2}\s*\s*Internal Revenue Service'
  )
)
and (
  (
    any(ml.nlu_classifier(body.current_thread.text).topics,
        .name in ("Security and Authentication", "Financial Communications")
        and .confidence == "high"
    )
    and not any(ml.nlu_classifier(body.current_thread.text).topics,
                .name in (
                  "Advertising and Promotions",
                  "Newsletters and Digests",
                  "Political Mail",
                  "Events and Webinars"
                )
                and .confidence != "low"
    )
  )
  or (
    // OCR length is more than 2x the current_thread length
    // indicating that the body is mostly an image
    (
      (length(beta.ocr(file.message_screenshot()).text) + 0.0) / (
        length(body.current_thread.text) + 0.0
      )
    ) > 2
    and length(body.previous_threads) == 0
    and any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).topics,
            .name in ("Security and Authentication", "Financial Communications")
            and .confidence == "high"
    )
    and not any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).topics,
                .name in (
                  "Advertising and Promotions",
                  "Newsletters and Digests",
                  "Political Mail",
                  "Events and Webinars"
                )
                and .confidence != "low"
    )
  )
  or any(ml.nlu_classifier(body.current_thread.text).intents,
         .name == "cred_theft" and .confidence == "high"
  )
  or any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).intents,
         .name == "cred_theft" and .confidence == "high"
  )
)
and not (
  (
    length(body.current_thread.text) > 2500
    or any(headers.hops,
           any(.fields,
               .name == 'List-Unsubscribe-Post'
               and .value == 'List-Unsubscribe=One-Click'
           )
    )
  )
  and any(ml.nlu_classifier(body.current_thread.text).intents,
          .name == "benign" and .confidence == "high"
  )
)

// and the sender is not in org_domains or from .gov domains and passes auth
and not (
  sender.email.domain.root_domain in $org_domains
  or (
    (
      sender.email.domain.root_domain in ("govdelivery.com", "ms-cpa.org")
      or sender.email.domain.tld == "gov"
    )
    and headers.auth_summary.dmarc.pass
  )
)
// and the sender is not from high trust sender root domains
and not (
  sender.email.domain.root_domain in $high_trust_sender_root_domains
  and coalesce(headers.auth_summary.dmarc.pass, false)
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Deploy and integrate a free Sublime instance in minutes.
Get Started