EXPLORE
Sign In
← Back to Explore
sublimemediumRule

VIP / Executive impersonation in subject (untrusted)

Sender subject contains the display name of a user in the $org_vips list, and the sender has never been seen before. The $org_vips list must first be manually connected to a VIP group of your upstream provider (Google Workspace and Microsoft 365 only) in order for this rule to work. Once connected, the list will be automatically synced and kept up-to-date. For more information, see the $org_vips documentation: https://docs.sublimesecurity.com/docs/configure-org_vips-list This rule is recommended to be used on a relatively small list of VIPs, and is meant to reduce attack surface by detecting *any* message that matches the protected list of display names from a first-time or unsolicited sender. Additional rule logic can be added to look for suspicious subjects, suspicious links, etc.

MITRE ATT&CK

T1566.002T1534T1656
initial-access

Detection Query

type.inbound
and any($org_vips,
        strings.contains(subject.subject, .display_name)
        and strings.contains(.display_name, " ")
)
// not being sent to said VIP
and not (
  (
    length(recipients.to) == 1
    and all(recipients.to,
            any($org_vips,
                .email == ..email.email
                and strings.contains(subject.subject, .display_name)
                and strings.contains(.display_name, " ")
            )
    )
  )
)
and (
  // ignore personal <> work emails
  // where the sender and mailbox's display name are the same
  length(recipients.to) > 0
  or length(recipients.cc) > 0
  or sender.display_name != mailbox.display_name
)
// bounce-back negations
and not strings.like(sender.email.local_part,
                     "*postmaster*",
                     "*mailer-daemon*",
                     "*administrator*"
)
and not any(attachments,
            .content_type in (
              "message/rfc822",
              "message/delivery-status",
              "text/calendar"
            )
)
and (
  (
    profile.by_sender().prevalence in ("new", "outlier")
    and not profile.by_sender().solicited
  )
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_messages_benign
  )
)

// negate org domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $org_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $org_domains
)

// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email

Tags

Attack surface reduction
Raw Content
name: "VIP / Executive impersonation in subject (untrusted)"
description: |
  Sender subject contains the display name of a user in the $org_vips list, and the sender has never been seen before.
  
  The $org_vips list must first be manually connected to a VIP group of your upstream provider (Google Workspace and Microsoft 365 only) in order for this rule to work.
  Once connected, the list will be automatically synced and kept up-to-date. For more information, see the $org_vips documentation: https://docs.sublimesecurity.com/docs/configure-org_vips-list
  
  This rule is recommended to be used on a relatively small list of VIPs, and is meant to reduce attack surface by detecting *any* message that matches the protected list of display names from a first-time or unsolicited sender.
  
  Additional rule logic can be added to look for suspicious subjects, suspicious links, etc.
type: "rule"
severity: "medium"
source: |
  type.inbound
  and any($org_vips,
          strings.contains(subject.subject, .display_name)
          and strings.contains(.display_name, " ")
  )
  // not being sent to said VIP
  and not (
    (
      length(recipients.to) == 1
      and all(recipients.to,
              any($org_vips,
                  .email == ..email.email
                  and strings.contains(subject.subject, .display_name)
                  and strings.contains(.display_name, " ")
              )
      )
    )
  )
  and (
    // ignore personal <> work emails
    // where the sender and mailbox's display name are the same
    length(recipients.to) > 0
    or length(recipients.cc) > 0
    or sender.display_name != mailbox.display_name
  )
  // bounce-back negations
  and not strings.like(sender.email.local_part,
                       "*postmaster*",
                       "*mailer-daemon*",
                       "*administrator*"
  )
  and not any(attachments,
              .content_type in (
                "message/rfc822",
                "message/delivery-status",
                "text/calendar"
              )
  )
  and (
    (
      profile.by_sender().prevalence in ("new", "outlier")
      and not profile.by_sender().solicited
    )
    or (
      profile.by_sender().any_messages_malicious_or_spam
      and not profile.by_sender().any_messages_benign
    )
  )
  
  // negate org domains unless they fail DMARC authentication
  and (
    (
      sender.email.domain.root_domain in $org_domains
      and not headers.auth_summary.dmarc.pass
    )
    or sender.email.domain.root_domain not in $org_domains
  )
  
  // negate highly trusted sender domains unless they fail DMARC authentication
  and (
    (
      sender.email.domain.root_domain in $high_trust_sender_root_domains
      and not headers.auth_summary.dmarc.pass
    )
    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
  )

tags:
  - "Attack surface reduction"
attack_types:
  - "BEC/Fraud"
tactics_and_techniques:
  - "Impersonation: VIP"
detection_methods:
  - "Header analysis"
  - "Sender analysis"
id: "0a641fe5-70b9-5f4e-9c34-0d70eac11fae"