• Sublime Core Feed
High Severity

VIP Impersonation via Google Group relay with suspicious indicators

Labels

BEC/Fraud
Credential Phishing
Malware/Ransomware
Evasion
Free email provider
Impersonation: Employee
Social engineering
Spoofing
Content analysis
Header analysis
Natural Language Understanding
Sender analysis

Description

Public Google Groups can be used to impersonate internal senders, while the reply to address is not under organizational control, leading to fraud, credential phishing, or other unwanted outcomes.

References

No references.

Sublime Security
Created Jan 19th, 2024 • Last updated May 3rd, 2024
Feed Source
Sublime Core Feed
Source
GitHub
(type.inbound or type.internal)
and sender.email.domain.root_domain in $org_domains

// subject, sender or reply to contains a VIP
and (
  any(headers.reply_to,
      any($org_vips, strings.contains(.display_name, ..display_name))
  )
  or any($org_vips, strings.contains(subject.subject, .display_name))
  or any($org_vips, strings.contains(sender.display_name, .display_name))
)
and any(headers.hops,
        any(.fields,
            regex.icontains(.name,
                            "X-Authenticated-Sender|X-Sender|X-Original-Sender"
            )
        )
)

// reply to return path mismatch and not org domain
and any(headers.reply_to,
        .email.domain.root_domain != headers.return_path.domain.root_domain
        and .email.domain.root_domain not in $org_domains
)

// googlegroups found in hops
and any(headers.hops,
        .index == 0 and any(.fields, strings.icontains(.value, "googlegroups"))
)

// financial nlu entity in current thread
and 3 of (
  any(ml.nlu_classifier(body.current_thread.text).entities,
      .name == "financial"
  ),

  // invoice entity in display_text
  any(ml.nlu_classifier(body.current_thread.text).tags, .name == "invoice"),

  // fake thread
  (
    regex.imatch(subject.subject, "(re|fw(d)?):.*")
    and (
      (length(headers.references) == 0 and headers.in_reply_to is null)
      or not any(headers.hops,
                 any(.fields, strings.ilike(.name, "In-Reply-To"))
      )
    )
  ),

  // reply-to is freemail 
  any(headers.reply_to, .email.domain.domain in $free_email_providers),

  // reply-to is not in $recipient_emails
  any(headers.reply_to, .email.email not in $recipient_emails),

  // dmarc authentication is freemail provider
  headers.auth_summary.dmarc.details.from.root_domain in $free_email_providers
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started