High Severity

Impersonation: Suspected supplier impersonation with suspicious content

Labels

BEC/Fraud

Evasion

Natural Language Understanding

Sender analysis

URL analysis

Whois

Description

This rule detects supplier impersonation by checking for: similar linked domains to the sender, non-freemail senders using freemail infrastructure, sender domains less than 90 days old, unsolicited communication or no prior interaction with the reply-to address, and a suspicious body.

References

No references.

Sublime Security

Created Jan 30th, 2024 • Last updated Feb 3rd, 2025

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound

// a linked domain is similar but not the same as the sender domain
and any(body.links,
        length(.href_url.domain.sld) > 3
        and 0 < strings.levenshtein(.href_url.domain.sld,
                                    sender.email.domain.sld
        ) <= 2
        and not sender.email.domain.root_domain == "onmicrosoft.com"

        // looking for lookalike domains above, typically the registrars won't match
        and network.whois(sender.email.domain).registrar_name != network.whois(.href_url.domain
        ).registrar_name

        // and one of the domains is less than 30 days old
        and (
          network.whois(sender.email.domain).days_old < 30
          or network.whois(.href_url.domain).days_old < 30
        )
)
// the sender is not a freemail, but the message or the in-reply-to indicates it traversed a freemail infrastructure, likely an auto forwarding rule. Or the sender or reply-to domain is new
and (
  sender.email.domain.root_domain not in $free_email_providers
  and (
    any(headers.references,
        any($free_email_providers, strings.contains(.., .))
        and not strings.ends_with(., "outlook.com")
    )
    or (
      any($free_email_providers,
          strings.contains(headers.in_reply_to, .)
          and not strings.ends_with(headers.in_reply_to, 'outlook.com')
      )
      // with the suspicious traversal tolerate 90 days
      and network.whois(sender.email.domain).days_old < 90
    )
    or any(headers.reply_to,
           network.whois(.email.domain).days_old < 30
           and .email.email != sender.email.email
    )
  )
)

//  not solicited, nor ever communicated with
and (
  not profile.by_sender_domain().solicited
  or // reply-to is not in $recipient_emails
 any(headers.reply_to, .email.email not in $recipient_emails)
)
and (
  2 of (
    // language attempting to engage
    (
      any(ml.nlu_classifier(coalesce(body.plain.raw, body.current_thread.text)).entities,
          .name == "request"
      )
      and any(ml.nlu_classifier(coalesce(body.plain.raw,
                                         body.current_thread.text
                                )
              ).entities,
              .name == "financial"
      )
    ),
    // payment tag high confidence 
    any(ml.nlu_classifier(coalesce(body.plain.raw, body.current_thread.text)).tags,
        .name == "payment" and .confidence == "high"
    ),
    // invoicing language
    any(ml.nlu_classifier(coalesce(body.plain.raw, body.current_thread.text)).tags,
        .name == "invoice"
    ),

    // urgency request
    any(ml.nlu_classifier(coalesce(body.plain.raw, body.current_thread.text)).entities,
        .name == "urgency"
    )
  )
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.