High Severity

VIP impersonation with invoicing request

Description

This rule detects emails attempting to impersonate a VIP, it leverages NLU to determine if there is invoicing verbiage in the current thread, and requires request language.

References

No references.

Sublime Security
Created Mar 11th, 2024 • Last updated Apr 23rd, 2024
Source
type.inbound
and any($org_vips, strings.contains(sender.display_name, .display_name))
and (
  (
    sender.email.domain.domain in $org_domains
    // X-headers indicate external sender
    and headers.x_authenticated_sender.email != sender.email.email
    and headers.x_authenticated_domain.domain not in $org_domains
  )
  or sender.email.domain.domain not in $org_domains
)

// Invoice Language with a request
and (
  any(ml.nlu_classifier(body.current_thread.text).tags,
      .name == "invoice"
      and .confidence in ("medium", "high")
      and any(ml.nlu_classifier(body.current_thread.text).entities,
              .name == "request"
      )
  )
)

// and the reply to email address has never been contacted  
and any(headers.reply_to, .email.email not in $recipient_emails)

// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.