- Impersonation: Employee
Tactic or Technique: Impersonation: Employee
Employee impersonation is a tactic where attackers pose as someone inside your organization, like a coworker, manager, or contractor, to get you to take action. These messages often look like they’re coming from a trusted internal contact by using spoofed display names, freemail accounts, or lookalike domains.
The emails are usually short and urgent. You might see what looks like a request from your manager to send a wire transfer, from IT asking you to verify your login, or from HR sharing a document. Attackers often research your org chart, titles, or communication habits to make the message feel more believable.
If you respond, the consequences can be serious. You might send sensitive data, move money to the wrong account, or open a file that installs malware. These attacks work because they feel familiar, and the sender looks like someone you normally trust.
Attack Types (4):
Detection Methods (9):
Rule Name & Severity | Last Updated | Author | Types, Tactics & Capabilities | |
|---|---|---|---|---|
Suspicious attachment with unscannable Cloudflare link | 16d ago Jun 2nd, 2025 UTC | Sublime Security | /feeds/core/detection-rules/suspicious-attachment-with-unscannable-cloudflare-link-00f92b6f | |
Corporate Services Impersonation Phishing | 20d ago May 29th, 2025 UTC | Sublime Security | /feeds/core/detection-rules/corporate-services-impersonation-phishing-3cd04f33 | |
Impersonation: Human Resources with link or attachment and engaging language | 2mo ago Apr 14th, 2025 UTC | Sublime Security | /feeds/core/detection-rules/impersonation-human-resources-with-link-or-attachment-and-engaging-language-8c95a6a8 | |
Canva Infrastructure Abuse | 2mo ago Apr 1st, 2025 UTC | Sublime Security | /feeds/core/detection-rules/canva-infrastructure-abuse-b69fdb5c | |
Sharepoint Link Likely Unrelated to Sender | 3mo ago Mar 12th, 2025 UTC | Sublime Security | /feeds/core/detection-rules/sharepoint-link-likely-unrelated-to-sender-6870f489 | |
Benefits Enrollment Impersonation | 4mo ago Jan 30th, 2025 UTC | Sublime Security | /feeds/core/detection-rules/benefits-enrollment-impersonation-5a6eb5a8 | |
Employee Impersonation: Payroll Fraud | 6mo ago Dec 16th, 2024 UTC | Sublime Security | /feeds/core/detection-rules/employee-impersonation-payroll-fraud-2beb7d85 | |
Suspicious Request for Financial Information | 6mo ago Nov 25th, 2024 UTC | Sublime Security | /feeds/core/detection-rules/suspicious-request-for-financial-information-4ebdaa4d | |
VIP impersonation with charitable donation fraud | 8mo ago Oct 8th, 2024 UTC | Sublime Security | /feeds/core/detection-rules/vip-impersonation-with-charitable-donation-fraud-35a56b8e | |
Employee impersonation with urgent request (untrusted sender) | 11mo ago Jul 17th, 2024 UTC | Sublime Security | /feeds/core/detection-rules/employee-impersonation-with-urgent-request-untrusted-sender-1ce9a146 | |
VIP Impersonation via Google Group relay with suspicious indicators | 1y ago May 3rd, 2024 UTC | Sublime Security | /feeds/core/detection-rules/vip-impersonation-via-google-group-relay-with-suspicious-indicators-57f9cd3b | |
Attachment with VBA macros from employee impersonation (unsolicited) | 1y ago Feb 26th, 2024 UTC | Sublime Security | /feeds/core/detection-rules/attachment-with-vba-macros-from-employee-impersonation-unsolicited-9b262123 | |
BEC: Employee impersonation with subject manipulation | 1y ago Jan 22nd, 2024 UTC | Sublime Security | /feeds/core/detection-rules/bec-employee-impersonation-with-subject-manipulation-9adfc77b |