← Back to Explore
sublimehighRule
Impersonation: Internal corporate services
Detects phishing attempts that impersonate corporate services such as HR, helpdesk, and benefits, using specific language in the subject or sender's name and containing suspicious links from low-reputation or mass-mailing domains.
Detection Query
type.inbound
// use distinct "urls" (without query params) to determine number of links
and 0 < length(distinct(body.links,
// strip out query params to determine
// the unique number of links
strings.concat(.href_url.scheme,
.href_url.domain.domain,
.href_url.path
)
)
) <= 8
// HR language found in subject
and (
(
length(subject.subject) > 20
and regex.icontains(subject.subject,
'(time.{0,4}sheet)|(employ|complete|update(?:d| to| regarding our)|workplace).{0,30}(benefit|handbook|comp\b|compensation|salary|\bpay(?:roll)?\b|policy|policies|guidelines?|conduct|acknowl|PTO|vacation|assess|eval)|(HR|Human Resources).{0,5}ADM[il]N',
// shorten the distance to 3 or less words for the word "review"
// special handling of benefits
'\breview\b(?:\w+(?:\s\w+)?|[[:punct:]]+|\s+){0,3}(benefits?(?:$|.?(?:statement|enrollment))|handbook|comp\b|compensation|salary|bonus|\bpay(?:roll)?\b)',
// handle the year in the subject, and expand the distance to 5 or less words
'20\d{2}\b(?:\w+(?:\s\w+)?|[[:punct:]]+|\s+){0,5}(benefits?(?:$|.?(?:statement|enrollment))|handbook|comp\b|compensation|salary|bonus|\bpay(?:roll)?\b)'
)
)
// or HR language found in sender
or (
regex.icontains(sender.display_name,
'(Employ|Time.{0,3}sheet|\bHR\b|Human R|Handbook|\bIT[- ]|Help.{0,3}Desk)|Internal.?Comm|Enroll?ment Service|Open Enroll?ment|Admin Support'
)
and not regex.icontains(sender.display_name,
"forum|employee voice|briefs|newsletter|screening"
)
and not regex.icontains(sender.display_name,
"HR (new|vue|view|tech admin|global)"
)
and not strings.icontains(sender.display_name, "get it")
)
// or assessment report language found in body
or (
regex.icontains(body.current_thread.text,
'20\d{2}(?:[[:punct:]](?:20)?\d{2})? (?:\w+ )?assessment report'
)
)
// or HR department language found in body via NLU
or any(ml.nlu_classifier(body.current_thread.text).entities,
.name in ("org", "sender")
and regex.icontains(.text,
'\bhr\b',
'human resources',
'operations department'
)
)
)
// suspicious display_text
and (
any(body.links,
regex.icontains(.display_text,
'(?:verify|view|click|download|goto|keep|Vιew|release|access|open|allow|deny|new).{0,10}(?:request|handbook|here|report|attachment|current|download|fax|file|document|message|same|doc|access|polic(?:y|ie))s?'
)
and not strings.ilike(.display_text, "*unsub*")
and not strings.ilike(.display_text, "*privacy?policy*")
and not strings.ilike(.href_url.url, "*privacy?policy*")
and not strings.ilike(.display_text, "*REGISTER*")
// from a low reputation link
and (
not .href_url.domain.root_domain in $org_domains
and (
(
.href_url.domain.root_domain not in $tranco_1m
or .href_url.domain.domain in $free_file_hosts
or .href_url.domain.root_domain in $free_file_hosts
or .href_url.domain.root_domain in $free_subdomain_hosts
or .href_url.domain.domain in $url_shorteners
or .href_url.domain.domain in $social_landing_hosts
)
or
// or mass mailer link, masks the actual URL
.href_url.domain.root_domain in (
"hubspotlinks.com",
"mandrillapp.com",
"sendgrid.net",
"rs6.net",
"mailanyone.net",
"perspectivefunnel.co"
)
)
)
)
// or credential theft confidence high
or (
length(body.links) > 0
and any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence == "high"
)
and not sender.email.domain.root_domain in (
"servicenowservices.com",
"workplaceextras.com",
"tempo.io",
"or.us",
"proofpoint.com"
)
)
or any(filter(attachments,
.content_type == "message/rfc822" or .file_extension in ('eml')
),
any(file.parse_eml(.).attachments,
any(file.explode(.),
regex.icontains(.scan.ocr.raw, 'scan|camera')
and regex.icontains(.scan.ocr.raw, '\bQR\b|Q\.R\.|barcode')
)
)
)
)
// negate messages where "click here" was found and was a link actually an unsub link
// this method allows for matching on other 'click here' links if they are present
and not (
length(filter(body.links, strings.icontains(.display_text, 'click here'))) > 0
and (
length(filter(body.links, strings.icontains(.display_text, 'click here'))) == strings.icount(body.current_thread.text,
'click here to unsubscribe'
)
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
or sender.email.domain.root_domain in $org_domains
)
and not headers.auth_summary.dmarc.pass
)
or (
sender.email.domain.root_domain not in $high_trust_sender_root_domains
and sender.email.domain.root_domain not in $org_domains
)
)
// not from sharepointonline actual
and not (
sender.email.domain.root_domain == "sharepointonline.com"
and strings.ends_with(headers.message_id, '@odspnotify>')
and strings.starts_with(headers.message_id, "<Spo")
)
// netate common FP topics
and not any(beta.ml_topic(body.current_thread.text).topics,
.name in (
"Events and Webinars",
"Advertising and Promotions",
"Newsletters and Digests"
)
and .confidence == "high"
)
// negate common helpdesk/HR platforms
and not any(headers.domains,
.root_domain in (
"freshemail.io",
"zendesk.com",
"employeenavigator.com",
"saashr.com" // Kronos owned Saas HR offering
)
)
// negate observed HR newsletters
and not (
any(headers.hops,
strings.icontains(.authentication_results.spf_details.designator,
"constantcontact.com"
)
)
and strings.starts_with(sender.email.local_part, 'newsletters-hr')
and sender.email.domain.root_domain == "ccsend.com"
)
// the message is unsolicited and no false positives
and (
not profile.by_sender_email().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
or (
profile.by_sender().any_messages_malicious_or_spam
and profile.by_sender().any_messages_benign
and not (headers.auth_summary.dmarc.pass and headers.auth_summary.spf.pass)
)
)
// negate instances where proofpoint sends a review of a reported message via analyzer
and not (
sender.email.email == "analyzer@analyzer.securityeducation.com"
and any(headers.domains, .root_domain == "pphosted.com")
and headers.auth_summary.spf.pass
and headers.auth_summary.dmarc.pass
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Impersonation: Internal corporate services"
description: "Detects phishing attempts that impersonate corporate services such as HR, helpdesk, and benefits, using specific language in the subject or sender's name and containing suspicious links from low-reputation or mass-mailing domains."
type: "rule"
severity: "high"
source: |
type.inbound
// use distinct "urls" (without query params) to determine number of links
and 0 < length(distinct(body.links,
// strip out query params to determine
// the unique number of links
strings.concat(.href_url.scheme,
.href_url.domain.domain,
.href_url.path
)
)
) <= 8
// HR language found in subject
and (
(
length(subject.subject) > 20
and regex.icontains(subject.subject,
'(time.{0,4}sheet)|(employ|complete|update(?:d| to| regarding our)|workplace).{0,30}(benefit|handbook|comp\b|compensation|salary|\bpay(?:roll)?\b|policy|policies|guidelines?|conduct|acknowl|PTO|vacation|assess|eval)|(HR|Human Resources).{0,5}ADM[il]N',
// shorten the distance to 3 or less words for the word "review"
// special handling of benefits
'\breview\b(?:\w+(?:\s\w+)?|[[:punct:]]+|\s+){0,3}(benefits?(?:$|.?(?:statement|enrollment))|handbook|comp\b|compensation|salary|bonus|\bpay(?:roll)?\b)',
// handle the year in the subject, and expand the distance to 5 or less words
'20\d{2}\b(?:\w+(?:\s\w+)?|[[:punct:]]+|\s+){0,5}(benefits?(?:$|.?(?:statement|enrollment))|handbook|comp\b|compensation|salary|bonus|\bpay(?:roll)?\b)'
)
)
// or HR language found in sender
or (
regex.icontains(sender.display_name,
'(Employ|Time.{0,3}sheet|\bHR\b|Human R|Handbook|\bIT[- ]|Help.{0,3}Desk)|Internal.?Comm|Enroll?ment Service|Open Enroll?ment|Admin Support'
)
and not regex.icontains(sender.display_name,
"forum|employee voice|briefs|newsletter|screening"
)
and not regex.icontains(sender.display_name,
"HR (new|vue|view|tech admin|global)"
)
and not strings.icontains(sender.display_name, "get it")
)
// or assessment report language found in body
or (
regex.icontains(body.current_thread.text,
'20\d{2}(?:[[:punct:]](?:20)?\d{2})? (?:\w+ )?assessment report'
)
)
// or HR department language found in body via NLU
or any(ml.nlu_classifier(body.current_thread.text).entities,
.name in ("org", "sender")
and regex.icontains(.text,
'\bhr\b',
'human resources',
'operations department'
)
)
)
// suspicious display_text
and (
any(body.links,
regex.icontains(.display_text,
'(?:verify|view|click|download|goto|keep|Vιew|release|access|open|allow|deny|new).{0,10}(?:request|handbook|here|report|attachment|current|download|fax|file|document|message|same|doc|access|polic(?:y|ie))s?'
)
and not strings.ilike(.display_text, "*unsub*")
and not strings.ilike(.display_text, "*privacy?policy*")
and not strings.ilike(.href_url.url, "*privacy?policy*")
and not strings.ilike(.display_text, "*REGISTER*")
// from a low reputation link
and (
not .href_url.domain.root_domain in $org_domains
and (
(
.href_url.domain.root_domain not in $tranco_1m
or .href_url.domain.domain in $free_file_hosts
or .href_url.domain.root_domain in $free_file_hosts
or .href_url.domain.root_domain in $free_subdomain_hosts
or .href_url.domain.domain in $url_shorteners
or .href_url.domain.domain in $social_landing_hosts
)
or
// or mass mailer link, masks the actual URL
.href_url.domain.root_domain in (
"hubspotlinks.com",
"mandrillapp.com",
"sendgrid.net",
"rs6.net",
"mailanyone.net",
"perspectivefunnel.co"
)
)
)
)
// or credential theft confidence high
or (
length(body.links) > 0
and any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence == "high"
)
and not sender.email.domain.root_domain in (
"servicenowservices.com",
"workplaceextras.com",
"tempo.io",
"or.us",
"proofpoint.com"
)
)
or any(filter(attachments,
.content_type == "message/rfc822" or .file_extension in ('eml')
),
any(file.parse_eml(.).attachments,
any(file.explode(.),
regex.icontains(.scan.ocr.raw, 'scan|camera')
and regex.icontains(.scan.ocr.raw, '\bQR\b|Q\.R\.|barcode')
)
)
)
)
// negate messages where "click here" was found and was a link actually an unsub link
// this method allows for matching on other 'click here' links if they are present
and not (
length(filter(body.links, strings.icontains(.display_text, 'click here'))) > 0
and (
length(filter(body.links, strings.icontains(.display_text, 'click here'))) == strings.icount(body.current_thread.text,
'click here to unsubscribe'
)
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
or sender.email.domain.root_domain in $org_domains
)
and not headers.auth_summary.dmarc.pass
)
or (
sender.email.domain.root_domain not in $high_trust_sender_root_domains
and sender.email.domain.root_domain not in $org_domains
)
)
// not from sharepointonline actual
and not (
sender.email.domain.root_domain == "sharepointonline.com"
and strings.ends_with(headers.message_id, '@odspnotify>')
and strings.starts_with(headers.message_id, "<Spo")
)
// netate common FP topics
and not any(beta.ml_topic(body.current_thread.text).topics,
.name in (
"Events and Webinars",
"Advertising and Promotions",
"Newsletters and Digests"
)
and .confidence == "high"
)
// negate common helpdesk/HR platforms
and not any(headers.domains,
.root_domain in (
"freshemail.io",
"zendesk.com",
"employeenavigator.com",
"saashr.com" // Kronos owned Saas HR offering
)
)
// negate observed HR newsletters
and not (
any(headers.hops,
strings.icontains(.authentication_results.spf_details.designator,
"constantcontact.com"
)
)
and strings.starts_with(sender.email.local_part, 'newsletters-hr')
and sender.email.domain.root_domain == "ccsend.com"
)
// the message is unsolicited and no false positives
and (
not profile.by_sender_email().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
or (
profile.by_sender().any_messages_malicious_or_spam
and profile.by_sender().any_messages_benign
and not (headers.auth_summary.dmarc.pass and headers.auth_summary.spf.pass)
)
)
// negate instances where proofpoint sends a review of a reported message via analyzer
and not (
sender.email.email == "analyzer@analyzer.securityeducation.com"
and any(headers.domains, .root_domain == "pphosted.com")
and headers.auth_summary.spf.pass
and headers.auth_summary.dmarc.pass
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Impersonation: Employee"
- "Social engineering"
detection_methods:
- "Content analysis"
- "Header analysis"
- "Natural Language Understanding"
- "Sender analysis"
id: "3cd04f33-5519-5cc1-8740-e8ce6cddf8a0"