Skip to content

Commit d53edf4

Browse files
[Test Rules] [PR #4798] added rule: VIP Impersonation: Fabricated thread history with fake VIP recipients
1 parent 1782e10 commit d53edf4

1 file changed

Lines changed: 67 additions & 0 deletions

File tree

Lines changed: 67 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,67 @@
1+
name: "VIP Impersonation: Fabricated thread history with fake VIP recipients"
2+
description: "Detects inbound messages that contain forged prior thread histories where the fake headers use abnormal spacing around colons - a hallmark of programmatically generated preambles. The fabricated threads reference VIP recipients from the organization who are absent from the live message's actual recipients, suggesting the thread was constructed to manufacture legitimacy. Observed messages impersonate finance or accounts payable workflows, referencing overdue invoices, balance statements, and payment requests targeting real vendors and internal stakeholders."
3+
type: "rule"
4+
severity: "high"
5+
source: |
6+
type.inbound
7+
and any(filter(body.previous_threads,
8+
// single recipient in the previous thread
9+
length(.recipients.to) == 1
10+
and length(.recipients.cc) == 0
11+
// contains spaces around the colons of the "headers"
12+
and strings.count(.preamble, ' : ') >= 2
13+
and regex.icount(.preamble, '(?m)^\s*[a-z]+ +: +\S') == regex.icount(.preamble,
14+
'(?m)^.'
15+
)
16+
),
17+
// the previous thread with the goofy spaces
18+
// includes a VIP as a recipeint
19+
any(map(filter(.recipients.to,
20+
// via email
21+
.email.email != ""
22+
and any($org_vips,
23+
strings.icontains(..email.email, .email)
24+
or strings.icontains(..display_name,
25+
.display_name
26+
)
27+
)
28+
),
29+
.email.email
30+
),
31+
// email is not in the "live" messages
32+
not strings.icontains(sender.email.email, .)
33+
and not any(recipients.to, strings.icontains(.email.email, ..))
34+
and not any(recipients.cc, strings.icontains(.email.email, ..))
35+
)
36+
or any(map(filter(.recipients.to,
37+
// via display_name
38+
.email.email == ""
39+
and any($org_vips,
40+
strings.icontains(..display_name,
41+
.display_name
42+
)
43+
)
44+
),
45+
.display_name
46+
),
47+
// display name is not in the "live" messages
48+
not any(recipients.to, .display_name == ..)
49+
and not any(recipients.cc, .display_name == ..)
50+
and sender.display_name != .
51+
)
52+
)
53+
attack_types:
54+
- "BEC/Fraud"
55+
tactics_and_techniques:
56+
- "Impersonation: VIP"
57+
- "Social engineering"
58+
- "Evasion"
59+
- "Spoofing"
60+
detection_methods:
61+
- "Content analysis"
62+
- "Header analysis"
63+
- "Sender analysis"
64+
id: "e55b2be0-9c79-5b35-8cf3-b5c28a326083"
65+
og_id: "b566ef3c-f5c0-5937-a73a-f33b98e02275"
66+
testing_pr: 4798
67+
testing_sha: e2cb3d334d6bb4ddfce35e1a1ded0bf3de34c860

0 commit comments

Comments
 (0)