1+ name : " VIP impersonation with BEC language (near match, untrusted sender)"
2+ description : |
3+ Sender is using a display name that matches the display name of someone in your $org_vips list.
4+
5+ Detects potential Business Email Compromise (BEC) attacks by analyzing text within email body from untrusted senders.
6+ type : " rule"
7+ severity : " medium"
8+ source : |
9+ type.inbound
10+ and any($org_vips,
11+ 0 <= strings.ilevenshtein(sender.display_name, .display_name) < 4
12+ or 0 <= strings.ilevenshtein(sender.display_name,
13+ strings.concat(.first_name,
14+ " ",
15+ .last_name
16+ )
17+ ) < 4
18+ or 0 <= strings.ilevenshtein(sender.display_name,
19+ strings.concat(.last_name,
20+ ", ",
21+ .first_name
22+ )
23+ ) < 4
24+ )
25+ and any(ml.nlu_classifier(body.current_thread.text).intents,
26+ .name == "bec" and .confidence in ("medium", "high")
27+ )
28+ and (
29+ (
30+ profile.by_sender().prevalence != "common"
31+ and not profile.by_sender().solicited
32+ )
33+ or (
34+ profile.by_sender().any_messages_malicious_or_spam
35+ and not profile.by_sender().any_messages_benign
36+ )
37+ or profile.by_sender().days_since.last_outbound > 365
38+ )
39+ // negate sharepoint notifications originating from within the org
40+ and not (
41+ sender.email.email in ('no-reply@sharepointonline.com')
42+ and length(headers.reply_to) > 0
43+ and all(headers.reply_to, .email.domain.root_domain in $org_domains)
44+ )
45+ // negate highly trusted sender domains unless they fail DMARC authentication
46+ and (
47+ (
48+ sender.email.domain.root_domain in $high_trust_sender_root_domains
49+ and not headers.auth_summary.dmarc.pass
50+ )
51+ or sender.email.domain.root_domain not in $high_trust_sender_root_domains
52+ )
53+ and not profile.by_sender().any_messages_benign
54+ tags :
55+ - " Attack surface reduction"
56+ attack_types :
57+ - " BEC/Fraud"
58+ tactics_and_techniques :
59+ - " Impersonation: VIP"
60+ - " Social engineering"
61+ detection_methods :
62+ - " Content analysis"
63+ - " Natural Language Understanding"
64+ - " Sender analysis"
65+ id : " af52ee6e-31f3-52e7-ba94-1e460c89628f"
66+ og_id : " 303081da-6850-5ba6-9589-c3dc7673320e"
67+ testing_pr : 4513
68+ testing_sha : 90a3176084fd25d367a7582d78b2cd7bb9c4b8b5
0 commit comments