[Test Rules] [PR #4513] added rule: VIP impersonation with urgent request (strict match, untrusted sender)

github-actions[bot] · github-actions[bot] · commit 3c8af1f6a558 · 2026-05-20T17:41:47.000Z
diff --git a/detection-rules/4513_impersonation_vip_urgent_request.yml b/detection-rules/4513_impersonation_vip_urgent_request.yml
@@ -0,0 +1,67 @@
+name: "VIP impersonation with urgent request (strict match, untrusted sender)"
+description: |
+  Sender is using a display name that matches the display name of someone in your $org_vips list.
+
+  Detects potential Business Email Compromise (BEC) attacks by analyzing text within email body from untrusted senders.
+type: "rule"
+severity: "high"
+source: |
+  type.inbound
+  and any($org_vips,
+          .display_name =~ sender.display_name
+          or strings.concat(.first_name, " ", .last_name) == sender.display_name
+          or strings.concat(.last_name, ", ", .first_name) == sender.display_name
+  )
+  and (
+    any(ml.nlu_classifier(body.current_thread.text).intents,
+        .name == "bec" and .confidence in ("medium", "high")
+    )
+    or (
+      any(ml.nlu_classifier(body.current_thread.text).entities,
+          .name == "urgency"
+      )
+      and any(ml.nlu_classifier(body.current_thread.text).entities,
+              .name == "request"
+      )
+    )
+  )
+  and (
+    (
+      profile.by_sender().prevalence != "common"
+      and not profile.by_sender().solicited
+    )
+    or (
+      profile.by_sender().any_messages_malicious_or_spam
+      and not profile.by_sender().any_messages_benign
+    )
+    or profile.by_sender().days_since.last_outbound > 365
+  )
+  // negate sharepoint notifications originating from within the org
+  and not (
+    sender.email.email in ('no-reply@sharepointonline.com')
+    and length(headers.reply_to) > 0
+    and all(headers.reply_to, .email.domain.root_domain in $org_domains)
+  )
+  // negate highly trusted sender domains unless they fail DMARC authentication
+  and (
+    (
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
+      and not headers.auth_summary.dmarc.pass
+    )
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
+  )
+  and not profile.by_sender().any_messages_benign
+attack_types:
+  - "BEC/Fraud"
+tactics_and_techniques:
+  - "Impersonation: VIP"
+  - "Social engineering"
+detection_methods:
+  - "Content analysis"
+  - "Content analysis"
+  - "Natural Language Understanding"
+  - "Sender analysis"
+id: "5bb1c65e-b217-59bc-b9a6-4b7e6defc225"
+og_id: "0dd1fa60-6e89-5f70-81a1-6b64eef0e428"
+testing_pr: 4513
+testing_sha: 90a3176084fd25d367a7582d78b2cd7bb9c4b8b5
