EXPLORE
Sign In
← Back to Explore
sublimemediumRule

VIP impersonation: Fake thread with display name match, email mismatch

This rule is intended to detect fake threads that are impersonating a VIP. It looks for a matching $org_vips display name and checks the email address following it does not match what is in the $org_vips list.

MITRE ATT&CK

T1566.002T1534T1656T1036T1027T1566T1598
defense-evasioninitial-access

Detection Query

type.inbound
and any($org_vips,
        strings.icontains(body.html.display_text,
                          strings.concat("From: ", .display_name, " <")
        )
        and not strings.icontains(body.html.display_text,
                                  strings.concat("From: ",
                                                 .display_name,
                                                 " <",
                                                 .email,
                                                 ">"
                                  )
        )
)
and any([body.current_thread.text, body.html.display_text, body.plain.raw],
        3 of (
          strings.icontains(., "from:"),
          strings.icontains(., "to:"),
          strings.icontains(., "sent:"),
          strings.icontains(., "date:"),
          strings.icontains(., "cc:"),
          strings.icontains(., "subject:")
        )
)
and (length(headers.references) == 0 or headers.in_reply_to is null)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "VIP impersonation: Fake thread with display name match, email mismatch"
description: "This rule is intended to detect fake threads that are impersonating a VIP. It looks for a matching $org_vips display name and checks the email address following it does not match what is in the $org_vips list."
type: "rule"
severity: "medium"
source: |
  type.inbound
  and any($org_vips,
          strings.icontains(body.html.display_text,
                            strings.concat("From: ", .display_name, " <")
          )
          and not strings.icontains(body.html.display_text,
                                    strings.concat("From: ",
                                                   .display_name,
                                                   " <",
                                                   .email,
                                                   ">"
                                    )
          )
  )
  and any([body.current_thread.text, body.html.display_text, body.plain.raw],
          3 of (
            strings.icontains(., "from:"),
            strings.icontains(., "to:"),
            strings.icontains(., "sent:"),
            strings.icontains(., "date:"),
            strings.icontains(., "cc:"),
            strings.icontains(., "subject:")
          )
  )
  and (length(headers.references) == 0 or headers.in_reply_to is null)
attack_types:
  - "BEC/Fraud"
tactics_and_techniques:
  - "Evasion"
  - "Impersonation: VIP"
  - "Social engineering"
  - "Spoofing"
detection_methods:
  - "Content analysis"
  - "Header analysis"
  - "Sender analysis"
  - "Whois"
id: "11cc3e28-65db-5c7e-9436-9d0a700da971"