Skip to content

Commit 3f8c0d4

Browse files
github-actions[bot]github-actions[bot]
committed
[Test Rules] [PR #4515] added rule: VIP / Executive impersonation in subject (untrusted)
1 parent c55cb79 commit 3f8c0d4

1 file changed

Lines changed: 114 additions & 0 deletions

File tree

detection-rules/4515_vip_impersonation_subject.yml

Lines changed: 114 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,114 @@
1+
name: "VIP / Executive impersonation in subject (untrusted)"
2+
description: |
3+
Sender subject contains the display name of a user in the $org_vips list, and the sender has never been seen before.
4+
5+
The $org_vips list must first be manually connected to a VIP group of your upstream provider (Google Workspace and Microsoft 365 only) in order for this rule to work.
6+
Once connected, the list will be automatically synced and kept up-to-date. For more information, see the $org_vips documentation: https://docs.sublimesecurity.com/docs/configure-org_vips-list
7+
8+
This rule is recommended to be used on a relatively small list of VIPs, and is meant to reduce attack surface by detecting *any* message that matches the protected list of display names from a first-time or unsolicited sender.
9+
10+
Additional rule logic can be added to look for suspicious subjects, suspicious links, etc.
11+
type: "rule"
12+
severity: "medium"
13+
source: |
14+
type.inbound
15+
and any($org_vips,
16+
(
17+
strings.contains(subject.subject, .display_name)
18+
or strings.contains(subject.subject,
19+
strings.concat(.first_name, " ", .last_name)
20+
)
21+
or strings.contains(subject.subject,
22+
strings.concat(.last_name, ", ", .first_name)
23+
)
24+
)
25+
and strings.contains(.display_name, " ")
26+
)
27+
// not being sent to said VIP
28+
and not (
29+
(
30+
length(recipients.to) == 1
31+
and all(recipients.to,
32+
any($org_vips,
33+
.email == ..email.email
34+
and (
35+
strings.contains(subject.subject, .display_name)
36+
or strings.contains(subject.subject,
37+
strings.concat(.first_name,
38+
" ",
39+
.last_name
40+
)
41+
)
42+
or strings.contains(subject.subject,
43+
strings.concat(.last_name,
44+
", ",
45+
.first_name
46+
)
47+
)
48+
)
49+
and strings.contains(.display_name, " ")
50+
)
51+
)
52+
)
53+
)
54+
and (
55+
// ignore personal <> work emails
56+
// where the sender and mailbox's display name are the same
57+
length(recipients.to) > 0
58+
or length(recipients.cc) > 0
59+
or sender.display_name != mailbox.display_name
60+
)
61+
// bounce-back negations
62+
and not strings.like(sender.email.local_part,
63+
"*postmaster*",
64+
"*mailer-daemon*",
65+
"*administrator*"
66+
)
67+
and not any(attachments,
68+
.content_type in (
69+
"message/rfc822",
70+
"message/delivery-status",
71+
"text/calendar"
72+
)
73+
)
74+
and (
75+
(
76+
profile.by_sender().prevalence in ("new", "outlier")
77+
and not profile.by_sender().solicited
78+
)
79+
or (
80+
profile.by_sender().any_messages_malicious_or_spam
81+
and not profile.by_sender().any_messages_benign
82+
)
83+
)
84+
85+
// negate org domains unless they fail DMARC authentication
86+
and (
87+
(
88+
sender.email.domain.root_domain in $org_domains
89+
and not headers.auth_summary.dmarc.pass
90+
)
91+
or sender.email.domain.root_domain not in $org_domains
92+
)
93+
94+
// negate highly trusted sender domains unless they fail DMARC authentication
95+
and (
96+
(
97+
sender.email.domain.root_domain in $high_trust_sender_root_domains
98+
and not headers.auth_summary.dmarc.pass
99+
)
100+
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
101+
)
102+
tags:
103+
- "Attack surface reduction"
104+
attack_types:
105+
- "BEC/Fraud"
106+
tactics_and_techniques:
107+
- "Impersonation: VIP"
108+
detection_methods:
109+
- "Header analysis"
110+
- "Sender analysis"
111+
id: "5684e13e-da17-582a-a2f1-b1a813fe65a7"
112+
og_id: "0a641fe5-70b9-5f4e-9c34-0d70eac11fae"
113+
testing_pr: 4515
114+
testing_sha: 1658ad9fc984cdf4e2a8a85f6af83206ffd6dde1

0 commit comments

Comments
 (0)