[Test Rules] [PR #4515] added rule: VIP impersonation with charitable donation fraud

Author: github-actions[bot]

detection-rules/4515_vip_impersonation_charity.yml

@@ -0,0 +1,90 @@
+name: "VIP impersonation with charitable donation fraud"
+description: "Fake email thread shows a VIP requesting a donation to a charity, usually addressed to Accounts Payable departments. Can result in monetary loss."
+type: "rule"
+severity: "high"
+source: |
+  type.inbound
+  and strings.ilike(body.current_thread.text,
+                    "*charity*",
+                    "*gala*",
+                    "*donation*",
+                    "*donor*"
+  )
+  and any(ml.nlu_classifier(body.current_thread.text).entities,
+          .name == "financial"
+  )
+  and any(ml.nlu_classifier(body.current_thread.text).entities,
+          .name == "request"
+  )
+  and (
+    any($org_vips,
+        strings.icontains(body.html.inner_text, .display_name)
+        or strings.icontains(body.html.inner_text,
+                             strings.concat(.first_name, " ", .last_name)
+        )
+        or strings.icontains(body.html.inner_text,
+                             strings.concat(.last_name, ", ", .first_name)
+        )
+    )
+    or any($org_vips,
+           strings.icontains(body.plain.raw, .display_name)
+           or strings.icontains(body.plain.raw,
+                                strings.concat(.first_name, " ", .last_name)
+           )
+           or strings.icontains(body.plain.raw,
+                                strings.concat(.last_name, ", ", .first_name)
+           )
+    )
+  )
+  and (
+    (
+      (subject.is_forward or subject.is_reply)
+      and (
+        (length(headers.references) == 0 and headers.in_reply_to is null)
+        or not any(headers.hops,
+                   any(.fields, strings.ilike(.name, "In-Reply-To"))
+        )
+      )
+    )
+    // fake thread, but no indication in the subject line
+    // current_thread pulls the recent thread, but the full body contains the fake "original" email
+    or (
+      not ((subject.is_forward or subject.is_reply))
+      and (
+        3 of (
+          strings.icontains(body.html.display_text, "from:"),
+          strings.icontains(body.html.display_text, "to:"),
+          strings.icontains(body.html.display_text, "sent:"),
+          strings.icontains(body.html.display_text, "subject:")
+        )
+        or length(body.previous_threads) > 0
+      )
+      and (
+        length(body.current_thread.text) + 100 < length(body.html.display_text)
+      )
+      // negating bouncebacks
+      and not any(attachments,
+                  .content_type in ("message/delivery-status", "message/rfc822")
+      )
+    )
+  )
+  and (
+    profile.by_sender().prevalence in ("new", "rare")
+    or profile.by_sender().days_known > 30
+  )
+  and not profile.by_sender().any_messages_benign
+attack_types:
+  - "BEC/Fraud"
+tactics_and_techniques:
+  - "Impersonation: Employee"
+  - "Impersonation: VIP"
+  - "Social engineering"
+detection_methods:
+  - "Content analysis"
+  - "Header analysis"
+  - "Natural Language Understanding"
+  - "Sender analysis"
+id: "f1011d09-b7dc-5a80-a0eb-ae5f9e5f1ae1"
+og_id: "35a56b8e-9293-5ccf-95d3-c990152d8f48"
+testing_pr: 4515
+testing_sha: 1658ad9fc984cdf4e2a8a85f6af83206ffd6dde1