Skip to content
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
64 changes: 64 additions & 0 deletions detection-rules/vip_impersonation_prev_thread_space_colon.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
name: "VIP Impersonation: Fabricated thread history with fake VIP recipients"
description: "Detects inbound messages that contain forged prior thread histories where the fake headers use abnormal spacing around colons - a hallmark of programmatically generated preambles. The fabricated threads reference VIP recipients from the organization who are absent from the live message's actual recipients, suggesting the thread was constructed to manufacture legitimacy. Observed messages impersonate finance or accounts payable workflows, referencing overdue invoices, balance statements, and payment requests targeting real vendors and internal stakeholders."
type: "rule"
severity: "high"
source: |
type.inbound
and any(filter(body.previous_threads,
// single recipient in the previous thread
length(.recipients.to) == 1
and length(.recipients.cc) == 0
// contains spaces around the colons of the "headers"
and strings.count(.preamble, ' : ') >= 2
and regex.icount(.preamble, '(?m)^\s*[a-z]+ +: +\S') == regex.icount(.preamble,
'(?m)^.'
)
),
// the previous thread with the goofy spaces
// includes a VIP as a recipeint
any(map(filter(.recipients.to,
// via email
.email.email != ""
and any($org_vips,
strings.icontains(..email.email, .email)
or strings.icontains(..display_name,
.display_name
)
)
),
.email.email
),
// email is not in the "live" messages
not strings.icontains(sender.email.email, .)
and not any(recipients.to, strings.icontains(.email.email, ..))
and not any(recipients.cc, strings.icontains(.email.email, ..))
)
or any(map(filter(.recipients.to,
// via display_name
.email.email == ""
and any($org_vips,
strings.icontains(..display_name,
.display_name
)
)
),
.display_name
),
// display name is not in the "live" messages
not any(recipients.to, .display_name == ..)
and not any(recipients.cc, .display_name == ..)
and sender.display_name != .
)
)
attack_types:
- "BEC/Fraud"
tactics_and_techniques:
- "Impersonation: VIP"
- "Social engineering"
- "Evasion"
- "Spoofing"
detection_methods:
- "Content analysis"
- "Header analysis"
- "Sender analysis"
id: "b566ef3c-f5c0-5937-a73a-f33b98e02275"