Medium Severity

VIP impersonation: Fake thread with display name match, email mismatch

Labels

BEC/Fraud

Evasion

Description

This rule is intended to detect fake threads that are impersonating a VIP. It looks for a matching $org_vips display name and checks the email address following it does not match what is in the $org_vips list.

References

No references.

Sublime Security

Created May 9th, 2024 • Last updated Jul 29th, 2024

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and any($org_vips,
        strings.icontains(body.html.display_text,
                          strings.concat("From: ", .display_name, " <")
        )
        and not strings.icontains(body.html.display_text,
                              strings.concat("From: ",
                                             .display_name, " <",
                                             .email, ">"
                              )
        )
)
and any([body.current_thread.text, body.html.display_text, body.plain.raw],
        3 of (
          strings.icontains(., "from:"),
          strings.icontains(., "to:"),
          strings.icontains(., "sent:"),
          strings.icontains(., "date:"),
          strings.icontains(., "cc:"),
          strings.icontains(., "subject:")
        )
)
and (
  length(headers.references) == 0
  or headers.in_reply_to is null
)
and (
  network.whois(sender.email.domain).days_old < 90
  or profile.by_sender().days_known == 0
)
and not profile.by_sender().solicited

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.