sublimemediumRule

Attachment: USDA bid invitation impersonation

Detects messages claiming to be from USDA containing bid invitations with macro-enabled attachments or PDFs. Validates USDA-related content through OCR and natural language analysis.

MITRE ATT&CK

T1566.002 T1534 T1656 T1598.003 T1204.002 T1059.005 T1566 T1598

initial-accessexecution

Detection Query

type.inbound
and length(attachments) == 1
and all(attachments,
        (.file_extension in~ $file_extensions_macros or .file_type == "pdf")
        and any(file.explode(.),
                any(ml.nlu_classifier(.scan.ocr.raw).entities,
                    strings.icontains(.text, "Agriculture")
                )
        )
)
and strings.icontains(body.current_thread.text, "bid")
and (
  strings.icontains(subject.subject, 'invitation to bid')
  or any(attachments, strings.icontains(.file_name, 'usda'))
)
and strings.icontains(sender.email.domain.domain, "usda")
and any(ml.nlu_classifier(body.current_thread.text).entities,
        .text == "usda" and .name in ("sender", "org")
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

References

https://www.proofpoint.com/uk/blog/threat-insight/ta4903-actor-spoofs-us-government-small-businesses-phishing-bec-bids

Raw Content

name: "Attachment: USDA bid invitation impersonation"
description: "Detects messages claiming to be from USDA containing bid invitations with macro-enabled attachments or PDFs. Validates USDA-related content through OCR and natural language analysis."
type: "rule"
severity: "medium"
references:
  - "https://www.proofpoint.com/uk/blog/threat-insight/ta4903-actor-spoofs-us-government-small-businesses-phishing-bec-bids"
source: |
  type.inbound
  and length(attachments) == 1
  and all(attachments,
          (.file_extension in~ $file_extensions_macros or .file_type == "pdf")
          and any(file.explode(.),
                  any(ml.nlu_classifier(.scan.ocr.raw).entities,
                      strings.icontains(.text, "Agriculture")
                  )
          )
  )
  and strings.icontains(body.current_thread.text, "bid")
  and (
    strings.icontains(subject.subject, 'invitation to bid')
    or any(attachments, strings.icontains(.file_name, 'usda'))
  )
  and strings.icontains(sender.email.domain.domain, "usda")
  and any(ml.nlu_classifier(body.current_thread.text).entities,
          .text == "usda" and .name in ("sender", "org")
  )
attack_types:
  - "BEC/Fraud"
tactics_and_techniques:
  - "Impersonation: Brand"
  - "PDF"
  - "Macros"
  - "Social engineering"
detection_methods:
  - "Content analysis"
  - "File analysis"
  - "Header analysis"
  - "Natural Language Understanding"
  - "Optical Character Recognition" 
  - "Sender analysis"
id: "34eb9493-f74b-535a-8e21-bb37ca69b7f4"