You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
name: "VIP Impersonation: Fabricated thread history with fake VIP recipients"
2
+
description: "Detects inbound messages that contain forged prior thread histories where the fake headers use abnormal spacing around colons - a hallmark of programmatically generated preambles. The fabricated threads reference VIP recipients from the organization who are absent from the live message's actual recipients, suggesting the thread was constructed to manufacture legitimacy. Observed messages impersonate finance or accounts payable workflows, referencing overdue invoices, balance statements, and payment requests targeting real vendors and internal stakeholders."
3
+
type: "rule"
4
+
severity: "high"
5
+
source: |
6
+
type.inbound
7
+
and any(filter(body.previous_threads,
8
+
// single recipient in the previous thread
9
+
length(.recipients.to) == 1
10
+
and length(.recipients.cc) == 0
11
+
// contains spaces around the colons of the "headers"
12
+
and strings.count(.preamble, ' : ') >= 2
13
+
and regex.icount(.preamble, '(?m)^\s*[a-z]+ +: +\S') == regex.icount(.preamble,
14
+
'(?m)^.'
15
+
)
16
+
),
17
+
// the previous thread with the goofy spaces
18
+
// includes a VIP as a recipeint
19
+
any(map(filter(.recipients.to,
20
+
// via email
21
+
.email.email != ""
22
+
and any($org_vips,
23
+
strings.icontains(..email.email, .email)
24
+
or strings.icontains(..display_name,
25
+
.display_name
26
+
)
27
+
)
28
+
),
29
+
.email.email
30
+
),
31
+
// email is not in the "live" messages
32
+
not strings.icontains(sender.email.email, .)
33
+
and not any(recipients.to, strings.icontains(.email.email, ..))
34
+
and not any(recipients.cc, strings.icontains(.email.email, ..))
0 commit comments