diff --git a/detection-rules/vip_impersonation_prev_thread_space_colon.yml b/detection-rules/vip_impersonation_prev_thread_space_colon.yml new file mode 100644 index 00000000000..f3cc8f6eeee --- /dev/null +++ b/detection-rules/vip_impersonation_prev_thread_space_colon.yml @@ -0,0 +1,64 @@ +name: "VIP Impersonation: Fabricated thread history with fake VIP recipients" +description: "Detects inbound messages that contain forged prior thread histories where the fake headers use abnormal spacing around colons - a hallmark of programmatically generated preambles. The fabricated threads reference VIP recipients from the organization who are absent from the live message's actual recipients, suggesting the thread was constructed to manufacture legitimacy. Observed messages impersonate finance or accounts payable workflows, referencing overdue invoices, balance statements, and payment requests targeting real vendors and internal stakeholders." +type: "rule" +severity: "high" +source: | + type.inbound + and any(filter(body.previous_threads, + // single recipient in the previous thread + length(.recipients.to) == 1 + and length(.recipients.cc) == 0 + // contains spaces around the colons of the "headers" + and strings.count(.preamble, ' : ') >= 2 + and regex.icount(.preamble, '(?m)^\s*[a-z]+ +: +\S') == regex.icount(.preamble, + '(?m)^.' + ) + ), + // the previous thread with the goofy spaces + // includes a VIP as a recipeint + any(map(filter(.recipients.to, + // via email + .email.email != "" + and any($org_vips, + strings.icontains(..email.email, .email) + or strings.icontains(..display_name, + .display_name + ) + ) + ), + .email.email + ), + // email is not in the "live" messages + not strings.icontains(sender.email.email, .) + and not any(recipients.to, strings.icontains(.email.email, ..)) + and not any(recipients.cc, strings.icontains(.email.email, ..)) + ) + or any(map(filter(.recipients.to, + // via display_name + .email.email == "" + and any($org_vips, + strings.icontains(..display_name, + .display_name + ) + ) + ), + .display_name + ), + // display name is not in the "live" messages + not any(recipients.to, .display_name == ..) + and not any(recipients.cc, .display_name == ..) + and sender.display_name != . + ) + ) +attack_types: + - "BEC/Fraud" +tactics_and_techniques: + - "Impersonation: VIP" + - "Social engineering" + - "Evasion" + - "Spoofing" +detection_methods: + - "Content analysis" + - "Header analysis" + - "Sender analysis" +id: "b566ef3c-f5c0-5937-a73a-f33b98e02275"