EXPLORE
← Back to Explore
sublimemediumRule

Brand impersonation: Social Security Administration

Detects messages impersonating the Social Security Administration (SSA) through various indicators including display names, subjects, body content, attachments, and HTML titles. The rule identifies SSA references, confusable characters, statement notifications, and credential theft language while excluding legitimate government communications.

Detection Query

type.inbound
// Identifies as SSA without catching strings such as "Alyssa"
and (
  regex.contains(sender.display_name, '^SSA\b')
  or strings.icontains(sender.display_name, "Social Security Administration")
  // there are confusables in the display name
  or (
    strings.replace_confusables(sender.display_name) != sender.display_name
    and strings.contains(strings.replace_confusables(sender.display_name),
                         "SSA"
    )
  )
  or any([sender.display_name, subject.subject],
         regex.icontains(strings.replace_confusables(.),
                         'Social (?:benefits|security|s.a\b)',
         )
  )
  or (
    any(attachments,
        .file_type in ("doc", "docx")
        and any(file.explode(.),
                strings.icontains(.scan.strings.raw,
                                  "Social Security Administration"
                )
        )
    )
  )
  // display name or subject references a statement
  or (
    any([sender.display_name, subject.subject],
        regex.icontains(strings.replace_confusables(.),
                        '(Digital|(e[[:punct:]]?))\s?Statements?.{0,10}(Generated|Created|Issued|Ready)'
        )
    )
    // with SSA impersonation in the body
    and strings.icontains(body.current_thread.text,
                          'Social Security Administration'
    )
  )
  or any(html.xpath(body.html, '//title').nodes,
         (
           strings.icontains(.inner_text, 'Social Security')
           and (
             strings.icontains(.inner_text, 'Statement')
             or strings.icontains(.inner_text, 'Notification')
             or strings.icontains(.inner_text, 'Document')
             or strings.icontains(.inner_text, 'Message')
             or strings.icontains(.inner_text, 'Important Update')
             or strings.icontains(.inner_text, 'Benefit Amount')
             or strings.icontains(.inner_text, 'Account')
             or strings.icontains(.inner_text, 'Authorization')
           )
         )
         or .inner_text =~ "Social Security Administration"
         or .inner_text =~ "Social Security"
  )
  or (
    any(body.links, strings.contains(.href_url.url, 'ssa.gov'))
    and strings.icontains(body.current_thread.text,
                          'download monthly statement'
    )
    and strings.icontains(body.current_thread.text, 'stay connected')
  )
  or (
    any(ml.nlu_classifier(body.current_thread.text).entities,
        .name == "sender" and .text == "Social Security Administration"
    )
    and any(ml.nlu_classifier(body.current_thread.text).intents,
            .name == "cred_theft" and .confidence != "low"
    )
  )
)

// Not from a .gov domain
and not (sender.email.domain.tld == "gov" and headers.auth_summary.dmarc.pass)

// Additional suspicious indicator
and (
  any(ml.nlu_classifier(body.current_thread.text).topics,
      .name in ("Security and Authentication", "Secure Message")
      and .confidence == "high"
  )
  or any(ml.nlu_classifier(body.current_thread.text).entities,
         .name == "org" and .text == "SSA"
  )
  or length(body.current_thread.text) == 0
  or body.current_thread.text is null
  or strings.icontains(body.current_thread.text, "SSA Statement Viewer")
  or strings.icontains(strings.replace_confusables(body.current_thread.text),
                       "Social Security Statement"
  )
  or regex.icontains(body.current_thread.text,
                     "(?:view|open) (?:your|the).{0,8} (statement|document)"
  )
  or regex.icontains(body.current_thread.text,
                     "(?:view|open|assess|evaluate|review|conduct|read|scan)"
  )
  // real SSA phone number
  or strings.icontains(body.current_thread.text, "1-800-772-1213")
  or any(body.links,
         any(regex.extract(.href_url.path, '\.(?P<ext>[^./?#]+)(?:[?#]|$)'),
             .named_groups["ext"] in $file_extensions_executables
         )
  )
  or any(ml.logo_detect(file.message_screenshot()).brands,
         .name == "SSA" and .confidence == "high"
  )
  or (
    any(attachments,
        .file_type in ("doc", "docx")
        and any(file.explode(.),
                strings.icontains(.scan.strings.raw, "suspended")
                or strings.icontains(.scan.strings.raw, "fraudulent")
                or strings.icontains(.scan.strings.raw, "violated")
                or strings.icontains(.scan.strings.raw, "false identity")
                or regex.icontains(.scan.strings.raw,
                                   '\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}',
                                   '\+?([ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4}'
                )
        )
    )
  )
)
and not (
  any(ml.nlu_classifier(body.current_thread.text).topics,
      .name in (
        "Newsletters and Digests",
        "Advertising and Promotions",
        "Events and Webinars",
        "Charity and Non-Profit",
        "Political Mail"
      )
      and .confidence == "high"
  )
  or any(ml.nlu_classifier(body.current_thread.text).intents,
         .name == "benign" and .confidence == "high"
  )
)
and not (
  sender.email.email in ("email@email.monarch.com", "contact@govplus.com")
  and coalesce(headers.auth_summary.dmarc.pass, false)
)

// not a forward or reply
and (headers.in_reply_to is null or length(headers.references) == 0)
and not (
  sender.email.domain.root_domain in $high_trust_sender_root_domains
  and coalesce(headers.auth_summary.dmarc.pass, false)
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Brand impersonation: Social Security Administration"
description: "Detects messages impersonating the Social Security Administration (SSA) through various indicators including display names, subjects, body content, attachments, and HTML titles. The rule identifies SSA references, confusable characters, statement notifications, and credential theft language while excluding legitimate government communications."
type: "rule"
severity: "medium"
source: |
  type.inbound
  // Identifies as SSA without catching strings such as "Alyssa"
  and (
    regex.contains(sender.display_name, '^SSA\b')
    or strings.icontains(sender.display_name, "Social Security Administration")
    // there are confusables in the display name
    or (
      strings.replace_confusables(sender.display_name) != sender.display_name
      and strings.contains(strings.replace_confusables(sender.display_name),
                           "SSA"
      )
    )
    or any([sender.display_name, subject.subject],
           regex.icontains(strings.replace_confusables(.),
                           'Social (?:benefits|security|s.a\b)',
           )
    )
    or (
      any(attachments,
          .file_type in ("doc", "docx")
          and any(file.explode(.),
                  strings.icontains(.scan.strings.raw,
                                    "Social Security Administration"
                  )
          )
      )
    )
    // display name or subject references a statement
    or (
      any([sender.display_name, subject.subject],
          regex.icontains(strings.replace_confusables(.),
                          '(Digital|(e[[:punct:]]?))\s?Statements?.{0,10}(Generated|Created|Issued|Ready)'
          )
      )
      // with SSA impersonation in the body
      and strings.icontains(body.current_thread.text,
                            'Social Security Administration'
      )
    )
    or any(html.xpath(body.html, '//title').nodes,
           (
             strings.icontains(.inner_text, 'Social Security')
             and (
               strings.icontains(.inner_text, 'Statement')
               or strings.icontains(.inner_text, 'Notification')
               or strings.icontains(.inner_text, 'Document')
               or strings.icontains(.inner_text, 'Message')
               or strings.icontains(.inner_text, 'Important Update')
               or strings.icontains(.inner_text, 'Benefit Amount')
               or strings.icontains(.inner_text, 'Account')
               or strings.icontains(.inner_text, 'Authorization')
             )
           )
           or .inner_text =~ "Social Security Administration"
           or .inner_text =~ "Social Security"
    )
    or (
      any(body.links, strings.contains(.href_url.url, 'ssa.gov'))
      and strings.icontains(body.current_thread.text,
                            'download monthly statement'
      )
      and strings.icontains(body.current_thread.text, 'stay connected')
    )
    or (
      any(ml.nlu_classifier(body.current_thread.text).entities,
          .name == "sender" and .text == "Social Security Administration"
      )
      and any(ml.nlu_classifier(body.current_thread.text).intents,
              .name == "cred_theft" and .confidence != "low"
      )
    )
  )
  
  // Not from a .gov domain
  and not (sender.email.domain.tld == "gov" and headers.auth_summary.dmarc.pass)
  
  // Additional suspicious indicator
  and (
    any(ml.nlu_classifier(body.current_thread.text).topics,
        .name in ("Security and Authentication", "Secure Message")
        and .confidence == "high"
    )
    or any(ml.nlu_classifier(body.current_thread.text).entities,
           .name == "org" and .text == "SSA"
    )
    or length(body.current_thread.text) == 0
    or body.current_thread.text is null
    or strings.icontains(body.current_thread.text, "SSA Statement Viewer")
    or strings.icontains(strings.replace_confusables(body.current_thread.text),
                         "Social Security Statement"
    )
    or regex.icontains(body.current_thread.text,
                       "(?:view|open) (?:your|the).{0,8} (statement|document)"
    )
    or regex.icontains(body.current_thread.text,
                       "(?:view|open|assess|evaluate|review|conduct|read|scan)"
    )
    // real SSA phone number
    or strings.icontains(body.current_thread.text, "1-800-772-1213")
    or any(body.links,
           any(regex.extract(.href_url.path, '\.(?P<ext>[^./?#]+)(?:[?#]|$)'),
               .named_groups["ext"] in $file_extensions_executables
           )
    )
    or any(ml.logo_detect(file.message_screenshot()).brands,
           .name == "SSA" and .confidence == "high"
    )
    or (
      any(attachments,
          .file_type in ("doc", "docx")
          and any(file.explode(.),
                  strings.icontains(.scan.strings.raw, "suspended")
                  or strings.icontains(.scan.strings.raw, "fraudulent")
                  or strings.icontains(.scan.strings.raw, "violated")
                  or strings.icontains(.scan.strings.raw, "false identity")
                  or regex.icontains(.scan.strings.raw,
                                     '\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}',
                                     '\+?([ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4}'
                  )
          )
      )
    )
  )
  and not (
    any(ml.nlu_classifier(body.current_thread.text).topics,
        .name in (
          "Newsletters and Digests",
          "Advertising and Promotions",
          "Events and Webinars",
          "Charity and Non-Profit",
          "Political Mail"
        )
        and .confidence == "high"
    )
    or any(ml.nlu_classifier(body.current_thread.text).intents,
           .name == "benign" and .confidence == "high"
    )
  )
  and not (
    sender.email.email in ("email@email.monarch.com", "contact@govplus.com")
    and coalesce(headers.auth_summary.dmarc.pass, false)
  )
  
  // not a forward or reply
  and (headers.in_reply_to is null or length(headers.references) == 0)
  and not (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and coalesce(headers.auth_summary.dmarc.pass, false)
  )
attack_types:
  - "BEC/Fraud"
  - "Credential Phishing"
tactics_and_techniques:
  - "Impersonation: Brand"
  - "Social engineering"
detection_methods:
  - "Content analysis"
  - "Sender analysis"
  - "URL analysis"
id: "6196767e-6264-5833-96f3-d1e34424d7b5"