Skip to content

Commit 8b3f150

Browse files
[Test Rules] [PR #4513] added rule: VIP impersonation with BEC language (near match, untrusted sender)
1 parent c41f316 commit 8b3f150

1 file changed

Lines changed: 68 additions & 0 deletions

File tree

Lines changed: 68 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,68 @@
1+
name: "VIP impersonation with BEC language (near match, untrusted sender)"
2+
description: |
3+
Sender is using a display name that matches the display name of someone in your $org_vips list.
4+
5+
Detects potential Business Email Compromise (BEC) attacks by analyzing text within email body from untrusted senders.
6+
type: "rule"
7+
severity: "medium"
8+
source: |
9+
type.inbound
10+
and any($org_vips,
11+
0 <= strings.ilevenshtein(sender.display_name, .display_name) < 4
12+
or 0 <= strings.ilevenshtein(sender.display_name,
13+
strings.concat(.first_name,
14+
" ",
15+
.last_name
16+
)
17+
) < 4
18+
or 0 <= strings.ilevenshtein(sender.display_name,
19+
strings.concat(.last_name,
20+
", ",
21+
.first_name
22+
)
23+
) < 4
24+
)
25+
and any(ml.nlu_classifier(body.current_thread.text).intents,
26+
.name == "bec" and .confidence in ("medium", "high")
27+
)
28+
and (
29+
(
30+
profile.by_sender().prevalence != "common"
31+
and not profile.by_sender().solicited
32+
)
33+
or (
34+
profile.by_sender().any_messages_malicious_or_spam
35+
and not profile.by_sender().any_messages_benign
36+
)
37+
or profile.by_sender().days_since.last_outbound > 365
38+
)
39+
// negate sharepoint notifications originating from within the org
40+
and not (
41+
sender.email.email in ('no-reply@sharepointonline.com')
42+
and length(headers.reply_to) > 0
43+
and all(headers.reply_to, .email.domain.root_domain in $org_domains)
44+
)
45+
// negate highly trusted sender domains unless they fail DMARC authentication
46+
and (
47+
(
48+
sender.email.domain.root_domain in $high_trust_sender_root_domains
49+
and not headers.auth_summary.dmarc.pass
50+
)
51+
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
52+
)
53+
and not profile.by_sender().any_messages_benign
54+
tags:
55+
- "Attack surface reduction"
56+
attack_types:
57+
- "BEC/Fraud"
58+
tactics_and_techniques:
59+
- "Impersonation: VIP"
60+
- "Social engineering"
61+
detection_methods:
62+
- "Content analysis"
63+
- "Natural Language Understanding"
64+
- "Sender analysis"
65+
id: "af52ee6e-31f3-52e7-ba94-1e460c89628f"
66+
og_id: "303081da-6850-5ba6-9589-c3dc7673320e"
67+
testing_pr: 4513
68+
testing_sha: 90a3176084fd25d367a7582d78b2cd7bb9c4b8b5

0 commit comments

Comments
 (0)