← Back to Explore
sublimemediumRule
Brand impersonation: Social Security Administration
Detects messages impersonating the Social Security Administration (SSA) through various indicators including display names, subjects, body content, attachments, and HTML titles. The rule identifies SSA references, confusable characters, statement notifications, and credential theft language while excluding legitimate government communications.
Detection Query
type.inbound
// Identifies as SSA without catching strings such as "Alyssa"
and (
regex.contains(sender.display_name, '^SSA\b')
or strings.icontains(sender.display_name, "Social Security Administration")
// there are confusables in the display name
or (
strings.replace_confusables(sender.display_name) != sender.display_name
and strings.contains(strings.replace_confusables(sender.display_name),
"SSA"
)
)
or any([sender.display_name, subject.subject],
regex.icontains(strings.replace_confusables(.),
'Social (?:benefits|security|s.a\b)',
)
)
or (
any(attachments,
.file_type in ("doc", "docx")
and any(file.explode(.),
strings.icontains(.scan.strings.raw,
"Social Security Administration"
)
)
)
)
// display name or subject references a statement
or (
any([sender.display_name, subject.subject],
regex.icontains(strings.replace_confusables(.),
'(Digital|(e[[:punct:]]?))\s?Statements?.{0,10}(Generated|Created|Issued|Ready)'
)
)
// with SSA impersonation in the body
and strings.icontains(body.current_thread.text,
'Social Security Administration'
)
)
or any(html.xpath(body.html, '//title').nodes,
(
strings.icontains(.inner_text, 'Social Security')
and (
strings.icontains(.inner_text, 'Statement')
or strings.icontains(.inner_text, 'Notification')
or strings.icontains(.inner_text, 'Document')
or strings.icontains(.inner_text, 'Message')
or strings.icontains(.inner_text, 'Important Update')
or strings.icontains(.inner_text, 'Benefit Amount')
or strings.icontains(.inner_text, 'Account')
or strings.icontains(.inner_text, 'Authorization')
)
)
or .inner_text =~ "Social Security Administration"
or .inner_text =~ "Social Security"
)
or (
any(body.links, strings.contains(.href_url.url, 'ssa.gov'))
and strings.icontains(body.current_thread.text,
'download monthly statement'
)
and strings.icontains(body.current_thread.text, 'stay connected')
)
or (
any(ml.nlu_classifier(body.current_thread.text).entities,
.name == "sender" and .text == "Social Security Administration"
)
and any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence != "low"
)
)
)
// Not from a .gov domain
and not (sender.email.domain.tld == "gov" and headers.auth_summary.dmarc.pass)
// Additional suspicious indicator
and (
any(ml.nlu_classifier(body.current_thread.text).topics,
.name in ("Security and Authentication", "Secure Message")
and .confidence == "high"
)
or any(ml.nlu_classifier(body.current_thread.text).entities,
.name == "org" and .text == "SSA"
)
or length(body.current_thread.text) == 0
or body.current_thread.text is null
or strings.icontains(body.current_thread.text, "SSA Statement Viewer")
or strings.icontains(strings.replace_confusables(body.current_thread.text),
"Social Security Statement"
)
or regex.icontains(body.current_thread.text,
"(?:view|open) (?:your|the).{0,8} (statement|document)"
)
or regex.icontains(body.current_thread.text,
"(?:view|open|assess|evaluate|review|conduct|read|scan)"
)
// real SSA phone number
or strings.icontains(body.current_thread.text, "1-800-772-1213")
or any(body.links,
any(regex.extract(.href_url.path, '\.(?P<ext>[^./?#]+)(?:[?#]|$)'),
.named_groups["ext"] in $file_extensions_executables
)
)
or any(ml.logo_detect(file.message_screenshot()).brands,
.name == "SSA" and .confidence == "high"
)
or (
any(attachments,
.file_type in ("doc", "docx")
and any(file.explode(.),
strings.icontains(.scan.strings.raw, "suspended")
or strings.icontains(.scan.strings.raw, "fraudulent")
or strings.icontains(.scan.strings.raw, "violated")
or strings.icontains(.scan.strings.raw, "false identity")
or regex.icontains(.scan.strings.raw,
'\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}',
'\+?([ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4}'
)
)
)
)
)
and not (
any(ml.nlu_classifier(body.current_thread.text).topics,
.name in (
"Newsletters and Digests",
"Advertising and Promotions",
"Events and Webinars",
"Charity and Non-Profit",
"Political Mail"
)
and .confidence == "high"
)
or any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "benign" and .confidence == "high"
)
)
and not (
sender.email.email in ("email@email.monarch.com", "contact@govplus.com")
and coalesce(headers.auth_summary.dmarc.pass, false)
)
// not a forward or reply
and (headers.in_reply_to is null or length(headers.references) == 0)
and not (
sender.email.domain.root_domain in $high_trust_sender_root_domains
and coalesce(headers.auth_summary.dmarc.pass, false)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Brand impersonation: Social Security Administration"
description: "Detects messages impersonating the Social Security Administration (SSA) through various indicators including display names, subjects, body content, attachments, and HTML titles. The rule identifies SSA references, confusable characters, statement notifications, and credential theft language while excluding legitimate government communications."
type: "rule"
severity: "medium"
source: |
type.inbound
// Identifies as SSA without catching strings such as "Alyssa"
and (
regex.contains(sender.display_name, '^SSA\b')
or strings.icontains(sender.display_name, "Social Security Administration")
// there are confusables in the display name
or (
strings.replace_confusables(sender.display_name) != sender.display_name
and strings.contains(strings.replace_confusables(sender.display_name),
"SSA"
)
)
or any([sender.display_name, subject.subject],
regex.icontains(strings.replace_confusables(.),
'Social (?:benefits|security|s.a\b)',
)
)
or (
any(attachments,
.file_type in ("doc", "docx")
and any(file.explode(.),
strings.icontains(.scan.strings.raw,
"Social Security Administration"
)
)
)
)
// display name or subject references a statement
or (
any([sender.display_name, subject.subject],
regex.icontains(strings.replace_confusables(.),
'(Digital|(e[[:punct:]]?))\s?Statements?.{0,10}(Generated|Created|Issued|Ready)'
)
)
// with SSA impersonation in the body
and strings.icontains(body.current_thread.text,
'Social Security Administration'
)
)
or any(html.xpath(body.html, '//title').nodes,
(
strings.icontains(.inner_text, 'Social Security')
and (
strings.icontains(.inner_text, 'Statement')
or strings.icontains(.inner_text, 'Notification')
or strings.icontains(.inner_text, 'Document')
or strings.icontains(.inner_text, 'Message')
or strings.icontains(.inner_text, 'Important Update')
or strings.icontains(.inner_text, 'Benefit Amount')
or strings.icontains(.inner_text, 'Account')
or strings.icontains(.inner_text, 'Authorization')
)
)
or .inner_text =~ "Social Security Administration"
or .inner_text =~ "Social Security"
)
or (
any(body.links, strings.contains(.href_url.url, 'ssa.gov'))
and strings.icontains(body.current_thread.text,
'download monthly statement'
)
and strings.icontains(body.current_thread.text, 'stay connected')
)
or (
any(ml.nlu_classifier(body.current_thread.text).entities,
.name == "sender" and .text == "Social Security Administration"
)
and any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence != "low"
)
)
)
// Not from a .gov domain
and not (sender.email.domain.tld == "gov" and headers.auth_summary.dmarc.pass)
// Additional suspicious indicator
and (
any(ml.nlu_classifier(body.current_thread.text).topics,
.name in ("Security and Authentication", "Secure Message")
and .confidence == "high"
)
or any(ml.nlu_classifier(body.current_thread.text).entities,
.name == "org" and .text == "SSA"
)
or length(body.current_thread.text) == 0
or body.current_thread.text is null
or strings.icontains(body.current_thread.text, "SSA Statement Viewer")
or strings.icontains(strings.replace_confusables(body.current_thread.text),
"Social Security Statement"
)
or regex.icontains(body.current_thread.text,
"(?:view|open) (?:your|the).{0,8} (statement|document)"
)
or regex.icontains(body.current_thread.text,
"(?:view|open|assess|evaluate|review|conduct|read|scan)"
)
// real SSA phone number
or strings.icontains(body.current_thread.text, "1-800-772-1213")
or any(body.links,
any(regex.extract(.href_url.path, '\.(?P<ext>[^./?#]+)(?:[?#]|$)'),
.named_groups["ext"] in $file_extensions_executables
)
)
or any(ml.logo_detect(file.message_screenshot()).brands,
.name == "SSA" and .confidence == "high"
)
or (
any(attachments,
.file_type in ("doc", "docx")
and any(file.explode(.),
strings.icontains(.scan.strings.raw, "suspended")
or strings.icontains(.scan.strings.raw, "fraudulent")
or strings.icontains(.scan.strings.raw, "violated")
or strings.icontains(.scan.strings.raw, "false identity")
or regex.icontains(.scan.strings.raw,
'\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}',
'\+?([ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4}'
)
)
)
)
)
and not (
any(ml.nlu_classifier(body.current_thread.text).topics,
.name in (
"Newsletters and Digests",
"Advertising and Promotions",
"Events and Webinars",
"Charity and Non-Profit",
"Political Mail"
)
and .confidence == "high"
)
or any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "benign" and .confidence == "high"
)
)
and not (
sender.email.email in ("email@email.monarch.com", "contact@govplus.com")
and coalesce(headers.auth_summary.dmarc.pass, false)
)
// not a forward or reply
and (headers.in_reply_to is null or length(headers.references) == 0)
and not (
sender.email.domain.root_domain in $high_trust_sender_root_domains
and coalesce(headers.auth_summary.dmarc.pass, false)
)
attack_types:
- "BEC/Fraud"
- "Credential Phishing"
tactics_and_techniques:
- "Impersonation: Brand"
- "Social engineering"
detection_methods:
- "Content analysis"
- "Sender analysis"
- "URL analysis"
id: "6196767e-6264-5833-96f3-d1e34424d7b5"