High Severity
VIP impersonation with invoicing request
Description
This rule detects emails attempting to impersonate a VIP, it leverages NLU to determine if there is invoicing verbiage in the current thread, and requires request language.
References
No references.
Sublime Security
Created Mar 11th, 2024 • Last updated Apr 23rd, 2024
Feed Source
Sublime Core Feed
Source
type.inbound
and any($org_vips, strings.contains(sender.display_name, .display_name))
and (
(
sender.email.domain.domain in $org_domains
// X-headers indicate external sender
and headers.x_authenticated_sender.email != sender.email.email
and headers.x_authenticated_domain.domain not in $org_domains
)
or sender.email.domain.domain not in $org_domains
)
// Invoice Language with a request
and (
any(ml.nlu_classifier(body.current_thread.text).tags,
.name == "invoice"
and .confidence in ("medium", "high")
and any(ml.nlu_classifier(body.current_thread.text).entities,
.name == "request"
)
)
)
// and the reply to email address has never been contacted
and any(headers.reply_to, .email.email not in $recipient_emails)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
Playground
Test against your own EMLs or sample data.