VIP / Executive impersonation (strict match, untrusted)
Description
Sender display name matches the display name of a user in the $org_vips list, and the sender has never been seen before.
The $org_vips list must first be manually connected to a VIP group of your upstream provider (Google Workspace and Microsoft 365 only) in order for this rule to work. Once connected, the list will be automatically synced and kept up-to-date. For more information, see the $org_vips documentation: https://docs.sublimesecurity.com/docs/configure-org_vips-list
This rule is recommended to be used on a relatively small list of VIPs, and is meant to reduce attack surface by detecting *any* message that matches the protected list of display names from a first-time or unsolicited sender.
Additional rule logic can be added to look for suspicious subjects, suspicious links, etc.
References
No references.
type.inbound
and any($org_vips, .display_name =~ sender.display_name)
and (
// ignore personal <> work emails
// where the sender and mailbox's display name are the same
length(recipients.to) > 0
or length(recipients.cc) > 0
or sender.display_name != mailbox.display_name
)
// bounce-back negations
and not strings.like(sender.email.local_part, "*postmaster*", "*mailer-daemon*", "*administrator*")
and not any(attachments,
.content_type in (
"message/rfc822",
"message/delivery-status",
"text/calendar"
)
)
and (
(
profile.by_sender().prevalence in ("new", "outlier")
and not profile.by_sender().solicited
)
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
and (
(
sender.email.domain.root_domain in $org_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $org_domains
)
and not profile.by_sender().any_messages_benign
Playground
Test against your own EMLs or sample data.