← Back to Explore
sublimemediumRule
Impersonation: Social Security Administration (SSA)
Detects messages impersonating the Social Security Administration (SSA) that contain links, a suspicious indicator, and are sent from non-government domains by unsolicited or suspicious senders.
Detection Query
type.inbound
and length(attachments) < 2
// Identifies as SSA without catching strings such as "Alyssa"
and (
regex.contains(sender.display_name, '^SSA\b')
or strings.icontains(sender.display_name, "Social Security Administration")
// there are confusables in the display name
or (
strings.replace_confusables(sender.display_name) != sender.display_name
and strings.contains(strings.replace_confusables(sender.display_name),
"SSA"
)
)
or any([sender.display_name, subject.subject],
regex.icontains(strings.replace_confusables(.),
'Social (?:benefits|security)',
)
)
or (
any(attachments,
.file_type in ("doc", "docx")
and any(file.explode(.),
strings.icontains(.scan.strings.raw,
"Social Security Administration"
)
)
)
)
// display name or subject references a statement
or (
any([sender.display_name, subject.subject],
regex.icontains(strings.replace_confusables(.),
'(Digital|(e[[:punct:]]?))\s?Statements?.{0,10}(Generated|Created|Issued|Ready)'
)
)
// with SSA impersonation in the body
and strings.icontains(body.current_thread.text,
'Social Security Administration'
)
)
or any(html.xpath(body.html, '//title').nodes,
(
strings.icontains(.inner_text, 'Social Security')
and (
strings.icontains(.inner_text, 'Statement')
or strings.icontains(.inner_text, 'Notification')
or strings.icontains(.inner_text, 'Document')
or strings.icontains(.inner_text, 'Message')
or strings.icontains(.inner_text, 'Important Update')
or strings.icontains(.inner_text, 'Benefit Amount')
or strings.icontains(.inner_text, 'Account')
or strings.icontains(.inner_text, 'Authorization')
)
)
or .inner_text =~ "Social Security Administration"
or .inner_text =~ "Social Security"
)
)
// Not from a .gov domain
and not (sender.email.domain.tld == "gov" and headers.auth_summary.dmarc.pass)
// Additional suspicious indicator
and (
any(ml.nlu_classifier(body.current_thread.text).topics,
.name == "Secure Message" and .confidence == "high"
)
or strings.icontains(body.current_thread.text, "SSA Statement Viewer")
or strings.icontains(strings.replace_confusables(body.current_thread.text),
"Social Security Statement"
)
or regex.icontains(body.current_thread.text,
"(?:view|open) (?:your|the).{0,8} (statement|document)"
)
// real SSA phone number
or strings.icontains(body.current_thread.text, "1-800-772-1213")
or any(body.links,
any(regex.extract(.href_url.path, '\.(?P<ext>[^./?#]+)(?:[?#]|$)'),
.named_groups["ext"] in $file_extensions_executables
)
)
or any(ml.logo_detect(file.message_screenshot()).brands,
.name == "SSA" and .confidence == "high"
)
or (
any(attachments,
.file_type in ("doc", "docx")
and any(file.explode(.),
strings.icontains(.scan.strings.raw, "suspended")
or strings.icontains(.scan.strings.raw, "fraudulent")
or strings.icontains(.scan.strings.raw, "violated")
or strings.icontains(.scan.strings.raw, "false identity")
or regex.icontains(.scan.strings.raw,
'\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}',
'\+?([ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4}'
)
)
)
)
)
and not any(ml.nlu_classifier(body.current_thread.text).topics,
.name in (
"Newsletters and Digests",
"Advertising and Promotions",
"Events and Webinars"
)
and .confidence == "high"
)
// not a forward or reply
and (headers.in_reply_to is null or length(headers.references) == 0)
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
and not (
sender.email.domain.root_domain in $high_trust_sender_root_domains
and coalesce(headers.auth_summary.dmarc.pass, false)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Impersonation: Social Security Administration (SSA)"
description: "Detects messages impersonating the Social Security Administration (SSA) that contain links, a suspicious indicator, and are sent from non-government domains by unsolicited or suspicious senders."
type: "rule"
severity: "medium"
source: |
type.inbound
and length(attachments) < 2
// Identifies as SSA without catching strings such as "Alyssa"
and (
regex.contains(sender.display_name, '^SSA\b')
or strings.icontains(sender.display_name, "Social Security Administration")
// there are confusables in the display name
or (
strings.replace_confusables(sender.display_name) != sender.display_name
and strings.contains(strings.replace_confusables(sender.display_name),
"SSA"
)
)
or any([sender.display_name, subject.subject],
regex.icontains(strings.replace_confusables(.),
'Social (?:benefits|security)',
)
)
or (
any(attachments,
.file_type in ("doc", "docx")
and any(file.explode(.),
strings.icontains(.scan.strings.raw,
"Social Security Administration"
)
)
)
)
// display name or subject references a statement
or (
any([sender.display_name, subject.subject],
regex.icontains(strings.replace_confusables(.),
'(Digital|(e[[:punct:]]?))\s?Statements?.{0,10}(Generated|Created|Issued|Ready)'
)
)
// with SSA impersonation in the body
and strings.icontains(body.current_thread.text,
'Social Security Administration'
)
)
or any(html.xpath(body.html, '//title').nodes,
(
strings.icontains(.inner_text, 'Social Security')
and (
strings.icontains(.inner_text, 'Statement')
or strings.icontains(.inner_text, 'Notification')
or strings.icontains(.inner_text, 'Document')
or strings.icontains(.inner_text, 'Message')
or strings.icontains(.inner_text, 'Important Update')
or strings.icontains(.inner_text, 'Benefit Amount')
or strings.icontains(.inner_text, 'Account')
or strings.icontains(.inner_text, 'Authorization')
)
)
or .inner_text =~ "Social Security Administration"
or .inner_text =~ "Social Security"
)
)
// Not from a .gov domain
and not (sender.email.domain.tld == "gov" and headers.auth_summary.dmarc.pass)
// Additional suspicious indicator
and (
any(ml.nlu_classifier(body.current_thread.text).topics,
.name == "Secure Message" and .confidence == "high"
)
or strings.icontains(body.current_thread.text, "SSA Statement Viewer")
or strings.icontains(strings.replace_confusables(body.current_thread.text),
"Social Security Statement"
)
or regex.icontains(body.current_thread.text,
"(?:view|open) (?:your|the).{0,8} (statement|document)"
)
// real SSA phone number
or strings.icontains(body.current_thread.text, "1-800-772-1213")
or any(body.links,
any(regex.extract(.href_url.path, '\.(?P<ext>[^./?#]+)(?:[?#]|$)'),
.named_groups["ext"] in $file_extensions_executables
)
)
or any(ml.logo_detect(file.message_screenshot()).brands,
.name == "SSA" and .confidence == "high"
)
or (
any(attachments,
.file_type in ("doc", "docx")
and any(file.explode(.),
strings.icontains(.scan.strings.raw, "suspended")
or strings.icontains(.scan.strings.raw, "fraudulent")
or strings.icontains(.scan.strings.raw, "violated")
or strings.icontains(.scan.strings.raw, "false identity")
or regex.icontains(.scan.strings.raw,
'\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}',
'\+?([ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4}'
)
)
)
)
)
and not any(ml.nlu_classifier(body.current_thread.text).topics,
.name in (
"Newsletters and Digests",
"Advertising and Promotions",
"Events and Webinars"
)
and .confidence == "high"
)
// not a forward or reply
and (headers.in_reply_to is null or length(headers.references) == 0)
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
and not (
sender.email.domain.root_domain in $high_trust_sender_root_domains
and coalesce(headers.auth_summary.dmarc.pass, false)
)
attack_types:
- "BEC/Fraud"
- "Credential Phishing"
tactics_and_techniques:
- "Impersonation: Brand"
- "Social engineering"
detection_methods:
- "Content analysis"
- "Sender analysis"
- "URL analysis"
id: "6196767e-6264-5833-96f3-d1e34424d7b5"