Skip to content

Commit fbcd55d

Browse files
github-actions[bot]github-actions[bot]
committed
[Shared Samples] [PR #4515] added rule: PR# 4515 - VIP impersonation: Fake thread with display name match, email mismatch
1 parent 3f264a4 commit fbcd55d

1 file changed

Lines changed: 93 additions & 0 deletions

File tree

detection-rules/4515_vip_impersonation_fake_thread.yml

Lines changed: 93 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,93 @@
1+
name: "PR# 4515 - VIP impersonation: Fake thread with display name match, email mismatch"
2+
description: "This rule is intended to detect fake threads that are impersonating a VIP. It looks for a matching $org_vips display name and checks the email address following it does not match what is in the $org_vips list."
3+
type: "rule"
4+
severity: "medium"
5+
source: |
6+
type.inbound
7+
and any($org_vips,
8+
(
9+
strings.icontains(body.html.display_text,
10+
strings.concat("From: ", .display_name, " <")
11+
)
12+
or strings.icontains(body.html.display_text,
13+
strings.concat("From: ",
14+
strings.concat(.first_name,
15+
" ",
16+
.last_name
17+
),
18+
" <"
19+
)
20+
)
21+
or strings.icontains(body.html.display_text,
22+
strings.concat("From: ",
23+
strings.concat(.last_name,
24+
", ",
25+
.first_name
26+
),
27+
" <"
28+
)
29+
)
30+
)
31+
and not (
32+
strings.icontains(body.html.display_text,
33+
strings.concat("From: ",
34+
.display_name,
35+
" <",
36+
.email,
37+
">"
38+
)
39+
)
40+
or strings.icontains(body.html.display_text,
41+
strings.concat("From: ",
42+
strings.concat(.first_name,
43+
" ",
44+
.last_name
45+
),
46+
" <",
47+
.email,
48+
">"
49+
)
50+
)
51+
or strings.icontains(body.html.display_text,
52+
strings.concat("From: ",
53+
strings.concat(.last_name,
54+
", ",
55+
.first_name
56+
),
57+
" <",
58+
.email,
59+
">"
60+
)
61+
)
62+
)
63+
)
64+
and any([body.current_thread.text, body.html.display_text, body.plain.raw],
65+
3 of (
66+
strings.icontains(., "from:"),
67+
strings.icontains(., "to:"),
68+
strings.icontains(., "sent:"),
69+
strings.icontains(., "date:"),
70+
strings.icontains(., "cc:"),
71+
strings.icontains(., "subject:")
72+
)
73+
)
74+
and (length(headers.references) == 0 or headers.in_reply_to is null)
75+
attack_types:
76+
- "BEC/Fraud"
77+
tactics_and_techniques:
78+
- "Evasion"
79+
- "Impersonation: VIP"
80+
- "Social engineering"
81+
- "Spoofing"
82+
detection_methods:
83+
- "Content analysis"
84+
- "Header analysis"
85+
- "Sender analysis"
86+
- "Whois"
87+
id: "a067b4db-294b-5177-ab12-0671ec5c7d63"
88+
tags:
89+
- created_from_open_prs
90+
- rule_status_modified
91+
- pr_author_IndiaAce
92+
references:
93+
- https://github.com/sublime-security/sublime-rules/pull/4515

0 commit comments

Comments
 (0)