EXPLORE
Sign In
← Back to Explore
sublimehighRule

Brand impersonation: Internal Revenue Service

Detects messages from senders posing as the Internal Revenue Service by checking display name similarity and content indicators from body text and screenshots. Excludes legitimate IRS domains and authenticated senders.

MITRE ATT&CK

T1566.002T1534T1656T1566T1566.001T1598T1598.003
initial-access

Detection Query

type.inbound
and (
  // display name contains IRS
  (
    strings.ilike(strings.replace_confusables(sender.display_name),
                  '*internal revenue service*'
    )
    or strings.like(strings.replace_confusables(sender.display_name), 'IRS*')
  )
  // levenshtein distance similar to IRS
  or strings.ilevenshtein(strings.replace_confusables(sender.display_name),
                          'internal revenue service'
  ) <= 1
  or (
    strings.like(strings.replace_confusables(subject.base), '*IRS*')
    and any(ml.nlu_classifier(body.current_thread.text).topics,
            .name == "Government Services" and .confidence != "low"
    )
  )
)
and (
  (
    any(ml.nlu_classifier(body.current_thread.text).topics,
        .name in ("Security and Authentication", "Financial Communications")
        and .confidence == "high"
    )
    and not any(ml.nlu_classifier(body.current_thread.text).topics,
                .name in (
                  "Advertising and Promotions",
                  "Newsletters and Digests",
                  "Political Mail",
                  "Events and Webinars"
                )
                and .confidence != "low"
    )
  )
  or (
    // OCR length is more than 2x the current_thread length
    // indicating that the body is mostly an image
    (
      (length(beta.ocr(file.message_screenshot()).text) + 0.0) / (
        length(body.current_thread.text) + 0.0
      )
    ) > 2
    and length(body.previous_threads) == 0
    and any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).topics,
            .name in ("Security and Authentication", "Financial Communications")
            and .confidence == "high"
    )
    and not any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).topics,
                .name in (
                  "Advertising and Promotions",
                  "Newsletters and Digests",
                  "Political Mail",
                  "Events and Webinars"
                )
                and .confidence != "low"
    )
  )
  or any(ml.nlu_classifier(body.current_thread.text).intents,
         .name == "cred_theft" and .confidence == "high"
  )
  or any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).intents,
         .name == "cred_theft" and .confidence == "high"
  )
)
and not (
  (
    length(body.current_thread.text) > 2500
    or any(headers.hops,
           any(.fields,
               .name == 'List-Unsubscribe-Post'
               and .value == 'List-Unsubscribe=One-Click'
           )
    )
  )
  and any(ml.nlu_classifier(body.current_thread.text).intents,
          .name == "benign" and .confidence == "high"
  )
)

// and the sender is not in org_domains or from .gov domains and passes auth
and not (
  sender.email.domain.root_domain in $org_domains
  or (
    (
      sender.email.domain.root_domain in ("govdelivery.com", "ms-cpa.org")
      or sender.email.domain.tld == "gov"
    )
    and headers.auth_summary.dmarc.pass
  )
)
// and the sender is not from high trust sender root domains
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Brand impersonation: Internal Revenue Service"
description: "Detects messages from senders posing as the Internal Revenue Service by checking display name similarity and content indicators from body text and screenshots. Excludes legitimate IRS domains and authenticated senders."
type: "rule"
severity: "high"
source: |
  type.inbound
  and (
    // display name contains IRS
    (
      strings.ilike(strings.replace_confusables(sender.display_name),
                    '*internal revenue service*'
      )
      or strings.like(strings.replace_confusables(sender.display_name), 'IRS*')
    )
    // levenshtein distance similar to IRS
    or strings.ilevenshtein(strings.replace_confusables(sender.display_name),
                            'internal revenue service'
    ) <= 1
    or (
      strings.like(strings.replace_confusables(subject.base), '*IRS*')
      and any(ml.nlu_classifier(body.current_thread.text).topics,
              .name == "Government Services" and .confidence != "low"
      )
    )
  )
  and (
    (
      any(ml.nlu_classifier(body.current_thread.text).topics,
          .name in ("Security and Authentication", "Financial Communications")
          and .confidence == "high"
      )
      and not any(ml.nlu_classifier(body.current_thread.text).topics,
                  .name in (
                    "Advertising and Promotions",
                    "Newsletters and Digests",
                    "Political Mail",
                    "Events and Webinars"
                  )
                  and .confidence != "low"
      )
    )
    or (
      // OCR length is more than 2x the current_thread length
      // indicating that the body is mostly an image
      (
        (length(beta.ocr(file.message_screenshot()).text) + 0.0) / (
          length(body.current_thread.text) + 0.0
        )
      ) > 2
      and length(body.previous_threads) == 0
      and any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).topics,
              .name in ("Security and Authentication", "Financial Communications")
              and .confidence == "high"
      )
      and not any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).topics,
                  .name in (
                    "Advertising and Promotions",
                    "Newsletters and Digests",
                    "Political Mail",
                    "Events and Webinars"
                  )
                  and .confidence != "low"
      )
    )
    or any(ml.nlu_classifier(body.current_thread.text).intents,
           .name == "cred_theft" and .confidence == "high"
    )
    or any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).intents,
           .name == "cred_theft" and .confidence == "high"
    )
  )
  and not (
    (
      length(body.current_thread.text) > 2500
      or any(headers.hops,
             any(.fields,
                 .name == 'List-Unsubscribe-Post'
                 and .value == 'List-Unsubscribe=One-Click'
             )
      )
    )
    and any(ml.nlu_classifier(body.current_thread.text).intents,
            .name == "benign" and .confidence == "high"
    )
  )
  
  // and the sender is not in org_domains or from .gov domains and passes auth
  and not (
    sender.email.domain.root_domain in $org_domains
    or (
      (
        sender.email.domain.root_domain in ("govdelivery.com", "ms-cpa.org")
        or sender.email.domain.tld == "gov"
      )
      and headers.auth_summary.dmarc.pass
    )
  )
  // and the sender is not from high trust sender root domains
  and (
    (
      sender.email.domain.root_domain in $high_trust_sender_root_domains
      and not headers.auth_summary.dmarc.pass
    )
    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
  )
attack_types:
  - "BEC/Fraud"
  - "Credential Phishing"
tactics_and_techniques:
  - "Impersonation: Brand"
  - "Social engineering"
detection_methods:
  - "Content analysis"
  - "Natural Language Understanding"
  - "Optical Character Recognition"
  - "Sender analysis"
id: "3c63f8e9-4bce-5ce3-b17d-1ae361b5782d"