Tactic or Technique: Impersonation: Employee

Employee impersonation is a tactic where attackers pose as someone inside your organization, like a coworker, manager, or contractor, to get you to take action. These messages often look like they’re coming from a trusted internal contact by using spoofed display names, freemail accounts, or lookalike domains.
The emails are usually short and urgent. You might see what looks like a request from your manager to send a wire transfer, from IT asking you to verify your login, or from HR sharing a document. Attackers often research your org chart, titles, or communication habits to make the message feel more believable.
If you respond, the consequences can be serious. You might send sensitive data, move money to the wrong account, or open a file that installs malware. These attacks work because they feel familiar, and the sender looks like someone you normally trust.
Blog Posts
Talking phish over turkey
Talking phish over turkey
Payroll Fraud via LLM-Generated Emails
Payroll Fraud via LLM-Generated Emails
Attack Types (4):
Credential Phishing
BEC/Fraud
Callback Phishing
Malware/Ransomware
Detection Methods (9):
File analysis
URL analysis
Sender analysis
Content analysis
Header analysis
Natural Language Understanding
HTML analysis
Archive analysis
Macro analysis
Rule Name & Severity
Last Updated
Author
Types, Tactics & Capabilities
Suspicious attachment with unscannable Cloudflare link
20d ago
Jun 2nd, 2025 UTC
Sublime Security
Credential Phishing
Evasion
PDF
Social engineering
Impersonation: Employee
Impersonation: VIP
File analysis
URL analysis
Sender analysis
Content analysis
Header analysis
Natural Language Understanding
/feeds/core/detection-rules/suspicious-attachment-with-unscannable-cloudflare-link-00f92b6f
Corporate Services Impersonation Phishing
24d ago
May 29th, 2025 UTC
Sublime Security
Credential Phishing
Impersonation: Employee
Social engineering
Content analysis
Header analysis
Natural Language Understanding
Sender analysis
/feeds/core/detection-rules/corporate-services-impersonation-phishing-3cd04f33
Impersonation: Human Resources with link or attachment and engaging language
2mo ago
Apr 14th, 2025 UTC
Sublime Security
BEC/Fraud
Credential Phishing
Impersonation: Employee
Social engineering
Content analysis
Header analysis
Natural Language Understanding
Sender analysis
/feeds/core/detection-rules/impersonation-human-resources-with-link-or-attachment-and-engaging-language-8c95a6a8
Canva Infrastructure Abuse
2mo ago
Apr 1st, 2025 UTC
Sublime Security
BEC/Fraud
Callback Phishing
Social engineering
Impersonation: Brand
Impersonation: Employee
Free email provider
Natural Language Understanding
Sender analysis
Content analysis
/feeds/core/detection-rules/canva-infrastructure-abuse-b69fdb5c
Sharepoint Link Likely Unrelated to Sender
3mo ago
Mar 12th, 2025 UTC
Sublime Security
BEC/Fraud
Credential Phishing
Impersonation: Employee
Lookalike domain
OneNote
PDF
Social engineering
URL analysis
Sender analysis
Header analysis
HTML analysis
/feeds/core/detection-rules/sharepoint-link-likely-unrelated-to-sender-6870f489
Benefits Enrollment Impersonation
4mo ago
Jan 30th, 2025 UTC
Sublime Security
Credential Phishing
Evasion
Impersonation: Employee
Out of band pivot
Social engineering
Content analysis
Header analysis
Sender analysis
/feeds/core/detection-rules/benefits-enrollment-impersonation-5a6eb5a8
Employee Impersonation: Payroll Fraud
6mo ago
Dec 16th, 2024 UTC
Sublime Security
BEC/Fraud
Impersonation: Employee
Free email provider
Social engineering
Content analysis
Sender analysis
/feeds/core/detection-rules/employee-impersonation-payroll-fraud-2beb7d85
Suspicious Request for Financial Information
6mo ago
Nov 25th, 2024 UTC
Sublime Security
BEC/Fraud
Free email provider
Impersonation: Employee
Impersonation: VIP
Social engineering
Content analysis
Header analysis
Sender analysis
/feeds/core/detection-rules/suspicious-request-for-financial-information-4ebdaa4d
VIP impersonation with charitable donation fraud
8mo ago
Oct 8th, 2024 UTC
Sublime Security
BEC/Fraud
Impersonation: Employee
Impersonation: VIP
Social engineering
Content analysis
Header analysis
Natural Language Understanding
Sender analysis
/feeds/core/detection-rules/vip-impersonation-with-charitable-donation-fraud-35a56b8e
Employee impersonation with urgent request (untrusted sender)
11mo ago
Jul 17th, 2024 UTC
Sublime Security
BEC/Fraud
Impersonation: Employee
Social engineering
Content analysis
Header analysis
Natural Language Understanding
Sender analysis
/feeds/core/detection-rules/employee-impersonation-with-urgent-request-untrusted-sender-1ce9a146
VIP Impersonation via Google Group relay with suspicious indicators
1y ago
May 3rd, 2024 UTC
Sublime Security
BEC/Fraud
Credential Phishing
Malware/Ransomware
Evasion
Free email provider
Impersonation: Employee
Social engineering
Spoofing
Content analysis
Header analysis
Natural Language Understanding
Sender analysis
/feeds/core/detection-rules/vip-impersonation-via-google-group-relay-with-suspicious-indicators-57f9cd3b
Attachment with VBA macros from employee impersonation (unsolicited)
1y ago
Feb 26th, 2024 UTC
Sublime Security
Malware/Ransomware
Impersonation: Employee
Macros
Social engineering
Archive analysis
File analysis
Macro analysis
Sender analysis
/feeds/core/detection-rules/attachment-with-vba-macros-from-employee-impersonation-unsolicited-9b262123
BEC: Employee impersonation with subject manipulation
1y ago
Jan 22nd, 2024 UTC
Sublime Security
BEC/Fraud
Impersonation: Employee
Social engineering
Content analysis
Natural Language Understanding
Sender analysis
/feeds/core/detection-rules/bec-employee-impersonation-with-subject-manipulation-9adfc77b