• Sublime Core Feed
Medium Severity

Impersonation: Human Resources with link or attachment and engaging language

Labels

BEC/Fraud
Credential Phishing
Impersonation: Employee
Social engineering
Content analysis
Header analysis
Natural Language Understanding
Sender analysis

Description

Detects messages impersonating HR that contain at least 1 link or 1 attachment with engaging language in the body from an untrusted sender.

References

No references.

Sublime Security
Created Aug 17th, 2023 • Last updated Apr 14th, 2025
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and sender.email.domain.domain not in $org_domains
and (
  regex.icontains(sender.display_name,
                  '(\bh\W?r\W?\b|human\s?resources|hr depart(ment)?|employee relations)'
  )
  or (
    length(filter(ml.nlu_classifier(body.current_thread.text).entities,
                  .name == "sender"
           )
    ) == 1
    and any(ml.nlu_classifier(body.current_thread.text).entities,
            .name == "sender"
            and regex.icontains(.text,
                                '(\bh\W?r\W?\b|human\s?resources|hr depart(ment)?|employee relations)'
            )
    )
  )
)
and not (
  strings.icontains(sender.display_name, sender.email.domain.domain)
  and sender.email.domain.tld == "hr"
)

// negate replies
and (
  length(headers.references) == 0
  or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
)
// Negate common marketing mailers
and not (
  sender.display_name is not null
  and regex.icontains(sender.display_name,
                      'HR (?:Events|Expert|Support Center|Studies|Knowledge Cloud|News Library|Crowd|Solutions|Interests)|HR and People Operations'
  )
)
and not (
  any(headers.hops,
      strings.icontains(.authentication_results.spf_details.designator,
                        "constantcontact.com"
      )
  )
  or any(headers.hops,
         strings.icontains(.received_spf.designator, "constantcontact.com")
  )
  or (
    (
      any(headers.hops,
          .index == 0
          and any(.authentication_results.dkim_details,
                  .domain == "auth.ccsend.com"
          )
      )
    )
    and headers.auth_summary.dmarc.pass
  )
  or any(headers.references, strings.iends_with(., "ccsend.com"))
)
and (
  (0 < length(body.links) < 10 or length(attachments) > 0)
  // mass-mailer infra abuse results in an inflated link count due to mailer templates that include links for unsubbing, changing preferences, etc.
  // loosening the link count check as a result ensures we fire even with these conditions
  or (
    any(body.links,
        strings.ilike(.display_text,
                      "*unsubscribe*",
                      "update your preferences",
                      "add us to your address book"
        )
    )
    and 0 < length(body.links) < 15
  )
)
// Request and Urgency
and (
  (
    length(body.current_thread.text) > 100
    and any(ml.nlu_classifier(body.current_thread.text).entities,
            .name == "request"
    )
    and (
      any(ml.nlu_classifier(body.current_thread.text).entities,
          .name in ("urgency", "financial")
      )
      or (
        any(beta.ml_topic(body.current_thread.text).topics,
            .name == "Professional and Career Development"
            and .confidence == "high"
        )
        and any(ml.nlu_classifier(body.current_thread.text).intents,
                .name != "benign"
        )
      )
    )
  )
  or (
    length(body.current_thread.text) < 400
    and any(attachments,
            (.file_type in $file_types_images or .file_type == "pdf")
            and any(file.explode(.),
                    .scan.qr.type == "url"
                    and .scan.qr.url.domain.root_domain not in $org_domains
            )
    )
  )
)
// additional suspicious indicator
and (
  any(ml.nlu_classifier(body.current_thread.text).intents, .name != "benign")
  or length(ml.nlu_classifier(body.current_thread.text).intents) == 0 // not benign but not malicious either
  // 1-2 all caps body links
  or 0 < length(filter(body.links,
                       not (
                         strings.ilike(.display_text,
                                       "*unsubscribe*",
                                       "update your preferences",
                                       "add us to your address book"
                         )
                         or .href_url.domain.root_domain == 'aka.ms'
                       )
                       and regex.match(.display_text, '[A-Z ]+')
                ),
  ) < 3
  or any(attachments,
         (.file_type in $file_types_images or .file_type == "pdf")
         and any(file.explode(.),
                 any(ml.nlu_classifier(.scan.ocr.raw).intents,
                     .name == "cred_theft" and .confidence == "high"
                 )
         )
  )
)
// topic negation
and not any(beta.ml_topic(body.current_thread.text).topics,
            .name in (
              "Newsletters and Digests",
              "Advertising and Promotions",
              "Educational and Research",
            )
            and .confidence == "high"
)
and (
  profile.by_sender_email().prevalence in ("new", "outlier")
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_false_positives
  )
  or sender.email.email in (
    "adobesign@adobesign.com",
    "noreply@salesforce.com",
    "support@salesforce.com",
    "no-reply@salesforce.com"
  ) // abused services
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and (
      not headers.auth_summary.dmarc.pass
      or (
        headers.auth_summary.dmarc.pass is null
        and not headers.auth_summary.spf.pass
      )
    )
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started