• Sublime Core Feed
Medium Severity

Employee impersonation with urgent request (untrusted sender)

Labels

BEC/Fraud
Impersonation: Employee
Social engineering
Content analysis
Header analysis
Natural Language Understanding
Sender analysis

Description

Sender is using a display name that matches the display name of someone in your organization.

Detects potential Business Email Compromise (BEC) attacks by analyzing text within email body from untrusted senders.

References

No references.

Sublime Security
Created Aug 17th, 2023 • Last updated Jul 17th, 2024
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound

// ensure the display name contains a space to avoid single named process accounts eg. 'billing, payment'
and strings.contains(sender.display_name, " ")
and sender.display_name in~ $org_display_names
and (
  any(ml.nlu_classifier(body.current_thread.text).intents,
      .name == "bec" and .confidence == "high"
  )
  or (
    (
      any(ml.nlu_classifier(body.current_thread.text).entities,
          .name == "urgency"
      )
      and any(ml.nlu_classifier(body.current_thread.text).entities,
              .name == "request"
      )
    )
    and not any(ml.nlu_classifier(body.current_thread.text).intents,
                .name == "benign" and .confidence == "high"
    )
    and (
      (
        // there are intents returned
        any(ml.nlu_classifier(body.current_thread.text).intents, true)
        // short body that also contains an org display name
        or (
          length(body.current_thread.text) > 200
          and any(ml.nlu_classifier(body.current_thread.text).entities,
                  .name == "sender" and .text in~ $org_display_names
          )
        )
      )
      and not strings.istarts_with(subject.subject, "fwd:")
    )
  )
)
and (
  (
    profile.by_sender().prevalence in ("new", "outlier")
    and not profile.by_sender().solicited
  )
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_false_positives
  )
)

// negate org domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $org_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $org_domains
)

// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)

and not profile.by_sender().any_false_positives
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started