EXPLORE
Sign In
← Back to Explore
sublimehighRule

VIP Impersonation via Google Group relay with suspicious indicators

Public Google Groups can be used to impersonate internal senders, while the reply to address is not under organizational control, leading to fraud, credential phishing, or other unwanted outcomes.

MITRE ATT&CK

T1566.002T1534T1656T1566T1566.001T1598T1204.002T1486T1036T1027
defense-evasioninitial-access

Detection Query

(type.inbound or type.internal)
and sender.email.domain.root_domain in $org_domains

// subject, sender or reply to contains a VIP
and (
  any(headers.reply_to,
      any($org_vips, strings.contains(.display_name, ..display_name))
  )
  or any($org_vips, strings.contains(subject.subject, .display_name))
  or any($org_vips, strings.contains(sender.display_name, .display_name))
)
and any(headers.hops,
        any(.fields,
            regex.icontains(.name,
                            "X-Authenticated-Sender|X-Sender|X-Original-Sender"
            )
        )
)

// reply to return path mismatch and not org domain
and any(headers.reply_to,
        .email.domain.root_domain != headers.return_path.domain.root_domain
        and .email.domain.root_domain not in $org_domains
)

// googlegroups found in hops
and any(headers.hops,
        .index == 0 and any(.fields, strings.icontains(.value, "googlegroups"))
)

// financial nlu entity in current thread
and 3 of (
  any(ml.nlu_classifier(body.current_thread.text).entities,
      .name == "financial"
  ),

  // invoice entity in display_text
  any(ml.nlu_classifier(body.current_thread.text).tags, .name == "invoice"),

  // fake thread
  (
    (subject.is_forward or subject.is_reply)
    and (
      (length(headers.references) == 0 and headers.in_reply_to is null)
      or not any(headers.hops,
                 any(.fields, strings.ilike(.name, "In-Reply-To"))
      )
    )
  ),

  // reply-to is freemail 
  any(headers.reply_to, .email.domain.domain in $free_email_providers),

  // reply-to is not in $recipient_emails
  any(headers.reply_to, .email.email not in $recipient_emails),

  // dmarc authentication is freemail provider
  headers.auth_summary.dmarc.details.from.root_domain in $free_email_providers
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "VIP Impersonation via Google Group relay with suspicious indicators"
description: "Public Google Groups can be used to impersonate internal senders, while the reply to address is not under organizational control, leading to fraud, credential phishing, or other unwanted outcomes."
type: "rule"
severity: "high"
source: |
  (type.inbound or type.internal)
  and sender.email.domain.root_domain in $org_domains
  
  // subject, sender or reply to contains a VIP
  and (
    any(headers.reply_to,
        any($org_vips, strings.contains(.display_name, ..display_name))
    )
    or any($org_vips, strings.contains(subject.subject, .display_name))
    or any($org_vips, strings.contains(sender.display_name, .display_name))
  )
  and any(headers.hops,
          any(.fields,
              regex.icontains(.name,
                              "X-Authenticated-Sender|X-Sender|X-Original-Sender"
              )
          )
  )
  
  // reply to return path mismatch and not org domain
  and any(headers.reply_to,
          .email.domain.root_domain != headers.return_path.domain.root_domain
          and .email.domain.root_domain not in $org_domains
  )
  
  // googlegroups found in hops
  and any(headers.hops,
          .index == 0 and any(.fields, strings.icontains(.value, "googlegroups"))
  )
  
  // financial nlu entity in current thread
  and 3 of (
    any(ml.nlu_classifier(body.current_thread.text).entities,
        .name == "financial"
    ),
  
    // invoice entity in display_text
    any(ml.nlu_classifier(body.current_thread.text).tags, .name == "invoice"),
  
    // fake thread
    (
      (subject.is_forward or subject.is_reply)
      and (
        (length(headers.references) == 0 and headers.in_reply_to is null)
        or not any(headers.hops,
                   any(.fields, strings.ilike(.name, "In-Reply-To"))
        )
      )
    ),
  
    // reply-to is freemail 
    any(headers.reply_to, .email.domain.domain in $free_email_providers),
  
    // reply-to is not in $recipient_emails
    any(headers.reply_to, .email.email not in $recipient_emails),
  
    // dmarc authentication is freemail provider
    headers.auth_summary.dmarc.details.from.root_domain in $free_email_providers
  )
attack_types:
  - "BEC/Fraud"
  - "Credential Phishing"
  - "Malware/Ransomware"
tactics_and_techniques:
  - "Evasion"
  - "Free email provider"
  - "Impersonation: Employee"
  - "Social engineering"
  - "Spoofing"
detection_methods:
  - "Content analysis"
  - "Header analysis"
  - "Natural Language Understanding"
  - "Sender analysis"
id: "57f9cd3b-ddac-5ef5-96dd-374dbd03f5cd"