← Back to Explore
sublimehighRule
Benefits enrollment impersonation
Detects messages about benefit enrollment periods and healthcare selections from external senders that contain urgent language or requests for action. Excludes legitimate HR communications, marketing mailers, and trusted sender domains with valid authentication.
Detection Query
type.inbound
and sender.email.domain.domain not in $org_domains
and (
length(body.current_thread.text) < 5000 or body.current_thread.text is null
)
and (
regex.icontains(subject.subject,
'(open|benefits?) enrol{1,2}ment', // catches both enrolment and enrollment
'benefit(s)? (plan|choice|selection|deadline|period)',
'hr benefits',
'annual enrol{1,2}ment',
'healthcare (choice|selection|opt.?in)',
'(fsa|hsa|401k) (enrol{1,2}ment|selection)',
'dependent (coverage|verification)',
'(health|dental|vision|insurance|medical) enrol{1,2}ment'
)
or regex.icontains(body.current_thread.text,
'benefit(s)? (plan|choice|selection|deadline|period)',
'hr benefits',
'annual enrol{1,2}ment',
'healthcare (choice|selection|opt.?in)',
'(fsa|hsa|401k) (enrol{1,2}ment|selection)',
'dependent (coverage|verification)',
'(health|dental|vision|insurance|medical) enrol{1,2}ment',
'(urgent|immediate) action required.{0,20}(benefit|enrol{1,2}ment)',
'coverage.{0,20}(expire|terminate)',
'last (day|chance).{0,20}(enrol{1,2}|select)',
'(login|sign.?in).{0,20}(benefit portal|hr portal)',
'(verify|update|confirm).{0,20}(benefit.{0,20}selection)'
)
or any(attachments,
regex.icontains(.file_name,
'fileDoc-Review',
'(open|benefits?) enrol{1,2}ment',
'annual enrol{1,2}ment',
'(fsa|hsa|401k) (enrol{1,2}ment|selection)',
'(urgent|immediate) action required.{0,20}(benefit|enrol{1,2}ment)',
)
)
)
and 2 of (
any(ml.nlu_classifier(body.current_thread.text).entities,
.name in ("urgency", "request")
),
any(ml.nlu_classifier(body.current_thread.text).intents, .name != "benign"),
(
(length(body.current_thread.text) < 250 and length(attachments) == 1)
or (body.current_thread.text is null and length(attachments) == 1)
),
// lure in attachment
(
any(attachments,
(
.file_type in $file_types_images
or .file_type in ("pdf", "docx", "doc")
or .file_extension in $file_extensions_macros
)
and any(filter(file.explode(.), .scan.ocr.raw is not null),
(
any(ml.nlu_classifier(.scan.ocr.raw).intents,
.name != "benign"
)
and any(ml.nlu_classifier(.scan.ocr.raw).entities,
.name in ("urgency", "request")
)
)
)
)
)
)
// negate replies
and (
length(headers.references) == 0
or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
)
// Negate common marketing mailers
and not regex.icontains(sender.display_name,
'HR (?:Events|Expert|Support Center|Studies|Knowledge Cloud|News Library|Crowd|Solutions|Interests)|HR and People Operations'
)
and not (
// Constant Contact
any(headers.hops,
strings.icontains(.authentication_results.spf_details.designator,
"constantcontact.com"
)
)
or any(headers.hops,
strings.icontains(.received_spf.designator, "constantcontact.com")
)
or (
(
any(headers.hops,
.index == 0
and any(.authentication_results.dkim_details,
.domain == "auth.ccsend.com"
)
)
)
and headers.auth_summary.dmarc.pass
)
or any(headers.references, strings.iends_with(., "ccsend.com"))
// Hubspot
or any(headers.hops,
strings.icontains(.authentication_results.spf_details.designator,
"hubspotemail.net"
)
)
)
and sender.email.domain.root_domain not in~ (
'medicare.gov',
'farmers.com',
'uhc.com',
'blueshieldca.com',
'corestream.com'
)
and (
profile.by_sender().prevalence in ("new", "outlier")
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Benefits enrollment impersonation"
description: "Detects messages about benefit enrollment periods and healthcare selections from external senders that contain urgent language or requests for action. Excludes legitimate HR communications, marketing mailers, and trusted sender domains with valid authentication."
type: "rule"
severity: "high"
source: |
type.inbound
and sender.email.domain.domain not in $org_domains
and (
length(body.current_thread.text) < 5000 or body.current_thread.text is null
)
and (
regex.icontains(subject.subject,
'(open|benefits?) enrol{1,2}ment', // catches both enrolment and enrollment
'benefit(s)? (plan|choice|selection|deadline|period)',
'hr benefits',
'annual enrol{1,2}ment',
'healthcare (choice|selection|opt.?in)',
'(fsa|hsa|401k) (enrol{1,2}ment|selection)',
'dependent (coverage|verification)',
'(health|dental|vision|insurance|medical) enrol{1,2}ment'
)
or regex.icontains(body.current_thread.text,
'benefit(s)? (plan|choice|selection|deadline|period)',
'hr benefits',
'annual enrol{1,2}ment',
'healthcare (choice|selection|opt.?in)',
'(fsa|hsa|401k) (enrol{1,2}ment|selection)',
'dependent (coverage|verification)',
'(health|dental|vision|insurance|medical) enrol{1,2}ment',
'(urgent|immediate) action required.{0,20}(benefit|enrol{1,2}ment)',
'coverage.{0,20}(expire|terminate)',
'last (day|chance).{0,20}(enrol{1,2}|select)',
'(login|sign.?in).{0,20}(benefit portal|hr portal)',
'(verify|update|confirm).{0,20}(benefit.{0,20}selection)'
)
or any(attachments,
regex.icontains(.file_name,
'fileDoc-Review',
'(open|benefits?) enrol{1,2}ment',
'annual enrol{1,2}ment',
'(fsa|hsa|401k) (enrol{1,2}ment|selection)',
'(urgent|immediate) action required.{0,20}(benefit|enrol{1,2}ment)',
)
)
)
and 2 of (
any(ml.nlu_classifier(body.current_thread.text).entities,
.name in ("urgency", "request")
),
any(ml.nlu_classifier(body.current_thread.text).intents, .name != "benign"),
(
(length(body.current_thread.text) < 250 and length(attachments) == 1)
or (body.current_thread.text is null and length(attachments) == 1)
),
// lure in attachment
(
any(attachments,
(
.file_type in $file_types_images
or .file_type in ("pdf", "docx", "doc")
or .file_extension in $file_extensions_macros
)
and any(filter(file.explode(.), .scan.ocr.raw is not null),
(
any(ml.nlu_classifier(.scan.ocr.raw).intents,
.name != "benign"
)
and any(ml.nlu_classifier(.scan.ocr.raw).entities,
.name in ("urgency", "request")
)
)
)
)
)
)
// negate replies
and (
length(headers.references) == 0
or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
)
// Negate common marketing mailers
and not regex.icontains(sender.display_name,
'HR (?:Events|Expert|Support Center|Studies|Knowledge Cloud|News Library|Crowd|Solutions|Interests)|HR and People Operations'
)
and not (
// Constant Contact
any(headers.hops,
strings.icontains(.authentication_results.spf_details.designator,
"constantcontact.com"
)
)
or any(headers.hops,
strings.icontains(.received_spf.designator, "constantcontact.com")
)
or (
(
any(headers.hops,
.index == 0
and any(.authentication_results.dkim_details,
.domain == "auth.ccsend.com"
)
)
)
and headers.auth_summary.dmarc.pass
)
or any(headers.references, strings.iends_with(., "ccsend.com"))
// Hubspot
or any(headers.hops,
strings.icontains(.authentication_results.spf_details.designator,
"hubspotemail.net"
)
)
)
and sender.email.domain.root_domain not in~ (
'medicare.gov',
'farmers.com',
'uhc.com',
'blueshieldca.com',
'corestream.com'
)
and (
profile.by_sender().prevalence in ("new", "outlier")
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Evasion"
- "Impersonation: Employee"
- "Out of band pivot"
- "Social engineering"
detection_methods:
- "Content analysis"
- "Header analysis"
- "Sender analysis"
id: "5a6eb5a8-2d91-5ed8-a0d2-fb3cc2fef40b"