[Test Rules] [PR #4376] added rule: Employee impersonation with urgent request (untrusted sender)

github-actions[bot] · github-actions[bot] · commit 2b2bf666eae8 · 2026-04-21T16:01:56.000Z
diff --git a/detection-rules/4376_impersonation_employee_urgent_request.yml b/detection-rules/4376_impersonation_employee_urgent_request.yml
@@ -0,0 +1,105 @@
+name: "Employee impersonation with urgent request (untrusted sender)"
+description: |
+  Sender is using a display name that matches the display name of someone in your organization.
+
+  Detects potential Business Email Compromise (BEC) attacks by analyzing text within email body from untrusted senders.
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  
+  // ensure the display name contains a space to avoid single named process accounts eg. 'billing, payment'
+  and strings.contains(sender.display_name, " ")
+  and sender.display_name in~ $org_display_names
+  and (
+    any(ml.nlu_classifier(body.current_thread.text).intents,
+        .name == "bec" and .confidence == "high"
+    )
+    or (
+      (
+        any(ml.nlu_classifier(body.current_thread.text).entities,
+            .name == "urgency"
+        )
+        and any(ml.nlu_classifier(body.current_thread.text).entities,
+                .name == "request"
+        )
+      )
+      and not any(ml.nlu_classifier(body.current_thread.text).intents,
+                  .name == "benign" and .confidence == "high"
+      )
+      and (
+        (
+          // there are intents returned
+          any(ml.nlu_classifier(body.current_thread.text).intents, true)
+          // short body that also contains an org display name
+          or (
+            length(body.current_thread.text) > 200
+            and any(ml.nlu_classifier(body.current_thread.text).entities,
+                    .name == "sender" and .text in~ $org_display_names
+            )
+          )
+        )
+        and not strings.istarts_with(subject.subject, "fwd:")
+      )
+    )
+    or (
+      any(ml.nlu_classifier(body.current_thread.text).entities,
+          .name == "request"
+      )
+      and sender.email.domain.root_domain in $free_email_providers
+      and any(headers.hops,
+              any(.fields,
+                  .name == "X-Forefront-Antispam-Report"
+                  and (
+                    strings.icontains(.value, "CAT:PHISH")
+                    or strings.icontains(.value, "CAT:SPOOF")
+                    or strings.icontains(.value, "CAT:HSPM")
+                  )
+              )
+      )
+    )
+  )
+  and (
+    (
+      profile.by_sender().prevalence in ("new", "outlier")
+      and not profile.by_sender().solicited
+    )
+    or (
+      profile.by_sender().any_messages_malicious_or_spam
+      and not profile.by_sender().any_messages_benign
+    )
+    or not headers.auth_summary.dmarc.pass
+  )
+  
+  // negate org domains unless they fail DMARC authentication
+  and (
+    (
+      sender.email.domain.root_domain in $org_domains
+      and not headers.auth_summary.dmarc.pass
+    )
+    or sender.email.domain.root_domain not in $org_domains
+  )
+  
+  // negate highly trusted sender domains unless they fail DMARC authentication
+  and (
+    (
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
+      and not headers.auth_summary.dmarc.pass
+    )
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
+  )
+  and not profile.by_sender().any_messages_benign
+attack_types:
+  - "BEC/Fraud"
+tactics_and_techniques:
+  - "Impersonation: Employee"
+  - "Social engineering"
+detection_methods:
+  - "Content analysis"
+  - "Header analysis"
+  - "Natural Language Understanding"
+  - "Sender analysis"
+id: "dfda762d-32eb-5101-ab91-544288c41a21"
+og_id: "1ce9a146-1293-531e-bb02-0af7ad1b018e"
+testing_pr: 4376
+testing_sha: 428d67034f48490a6127eeda449dca1145aae686
