EXPLORE
Sign In
← Back to Explore
sublimehighRule

Attachment: RFP/RFQ impersonating government entities

Attached RFP/RFQ impersonates a U.S. government department or entity to commit fraudulent transactions.

MITRE ATT&CK

T1566.002T1534T1656T1598.003T1566T1598
initial-access

Detection Query

type.inbound
and length(attachments) == 1
and all(attachments,
        .file_extension in~ $file_extensions_macros or .file_type == "pdf"
)
and regex.icontains(body.current_thread.text, "department of|office of")
and (
  regex.icontains(subject.subject,
                  '(request for (purchase|quot(e|ation))|\bRFQ\b|\bRFP\b)'
  )
  or any(attachments,
         regex.icontains(.file_name,
                         '(request for (purchase|quot(e|ation))|\bRFQ\b|\bRFP\b)'
         )
  )
)
and strings.icontains(sender.email.domain.domain, "gov")
and (
  any(ml.nlu_classifier(body.current_thread.text).tags,
      .name == "purchase_order"
  )
  and any(attachments,
          any(file.explode(.),
              any(ml.nlu_classifier(.scan.ocr.raw).entities,
                  regex.icontains(.text, "department of|office of")
              )
          )
  )
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Attachment: RFP/RFQ impersonating government entities"
description: "Attached RFP/RFQ impersonates a U.S. government department or entity to commit fraudulent transactions."
type: "rule"
severity: "high"
source: |
  type.inbound
  and length(attachments) == 1
  and all(attachments,
          .file_extension in~ $file_extensions_macros or .file_type == "pdf"
  )
  and regex.icontains(body.current_thread.text, "department of|office of")
  and (
    regex.icontains(subject.subject,
                    '(request for (purchase|quot(e|ation))|\bRFQ\b|\bRFP\b)'
    )
    or any(attachments,
           regex.icontains(.file_name,
                           '(request for (purchase|quot(e|ation))|\bRFQ\b|\bRFP\b)'
           )
    )
  )
  and strings.icontains(sender.email.domain.domain, "gov")
  and (
    any(ml.nlu_classifier(body.current_thread.text).tags,
        .name == "purchase_order"
    )
    and any(attachments,
            any(file.explode(.),
                any(ml.nlu_classifier(.scan.ocr.raw).entities,
                    regex.icontains(.text, "department of|office of")
                )
            )
    )
  )

attack_types:
  - "BEC/Fraud"
tactics_and_techniques:
  - "Impersonation: Brand"
  - "PDF"
  - "Social engineering"
detection_methods:
  - "Content analysis"
  - "File analysis"
  - "Natural Language Understanding"
  - "Optical Character Recognition"
  - "Sender analysis"
id: "3b73e3b3-b4cc-5e2d-9e9c-5812f3a0370a"