[Test Rules] [PR #4513] added rule: VIP impersonation with w2 request with reply-to mismatch

github-actions[bot] · github-actions[bot] · commit d49e795f48e4 · 2026-05-20T17:41:47.000Z
diff --git a/detection-rules/4513_impersonation_vip_w2_request.yml b/detection-rules/4513_impersonation_vip_w2_request.yml
@@ -0,0 +1,62 @@
+name: "VIP impersonation with w2 request with reply-to mismatch"
+description: "This rule detects emails attempting to impersonate a VIP requesting a W-2 with a reply-to mismatch."
+type: "rule"
+severity: "high"
+source: |
+  type.inbound
+  and (
+    any($org_vips,
+        strings.contains(sender.display_name, .display_name)
+        or strings.contains(sender.display_name,
+                            strings.concat(.first_name, " ", .last_name)
+        )
+        or strings.contains(sender.display_name,
+                            strings.concat(.last_name, ", ", .first_name)
+        )
+    )
+    or any(regex.extract(sender.display_name, '^(?<first>\S+)\s+(?<second>\S+)$'),
+           any($org_vips,
+               strings.contains(.display_name, ..named_groups["first"])
+               and strings.contains(.display_name, ..named_groups["second"])
+           )
+    )
+  )
+  and not (
+    sender.email.domain.domain in $org_domains
+    and coalesce(headers.auth_summary.dmarc.pass, false)
+  )
+  
+  // W-2 Language with a request
+  and (
+    strings.contains(strings.replace_confusables(subject.base), 'W-2')
+    or strings.icontains(subject.base, 'w2')
+    or strings.icontains(subject.base, 'wage')
+    or strings.icontains(subject.base, 'tax form')
+    or strings.icontains(subject.base, 'irs')
+  )
+  and strings.contains(body.current_thread.text, 'W-2')
+  and any(ml.nlu_classifier(body.current_thread.text).entities,
+          .name == "request"
+  )
+  
+  // different reply-to address
+  and length(headers.reply_to) > 0
+  and sender.email.email not in map(headers.reply_to, .email.email)
+  
+  // negate highly trusted sender domains unless they fail DMARC authentication
+  and not (
+    sender.email.domain.root_domain in $high_trust_sender_root_domains
+    and coalesce(headers.auth_summary.dmarc.pass, false)
+  )
+attack_types:
+  - "BEC/Fraud"
+tactics_and_techniques:
+  - "Impersonation: VIP"
+detection_methods:
+  - "Content analysis"
+  - "Header analysis"
+  - "Natural Language Understanding"
+id: "49b212a6-2fa1-5f27-b18e-75126c6b337c"
+og_id: "e7e73fad-6ce6-51f9-9b52-40eaef71f5a1"
+testing_pr: 4513
+testing_sha: 90a3176084fd25d367a7582d78b2cd7bb9c4b8b5
