← Back to Explore
sublimehighRule
Impersonation: Suspected supplier impersonation with suspicious content
This rule detects supplier impersonation by checking for: similar linked domains to the sender, non-freemail senders using freemail infrastructure, sender domains less than 90 days old, unsolicited communication or no prior interaction with the reply-to address, and a suspicious body.
Detection Query
type.inbound
// a linked domain is similar but not the same as the sender domain
and any(body.links,
length(.href_url.domain.sld) > 3
and 0 < strings.levenshtein(.href_url.domain.sld,
sender.email.domain.sld
) <= 2
and not sender.email.domain.root_domain == "onmicrosoft.com"
// looking for lookalike domains above, typically the registrars won't match
and network.whois(sender.email.domain).registrar_name != network.whois(.href_url.domain
).registrar_name
// and one of the domains is less than 30 days old
and (
network.whois(sender.email.domain).days_old < 30
or network.whois(.href_url.domain).days_old < 30
)
)
// the sender is not a freemail, but the message or the in-reply-to indicates it traversed a freemail infrastructure, likely an auto forwarding rule. Or the sender or reply-to domain is new
and (
sender.email.domain.root_domain not in $free_email_providers
and (
any(headers.references,
any($free_email_providers, strings.contains(.., .))
and not strings.ends_with(., "outlook.com")
)
or (
any($free_email_providers,
strings.contains(headers.in_reply_to, .)
and not strings.ends_with(headers.in_reply_to, 'outlook.com')
)
// with the suspicious traversal tolerate 90 days
and network.whois(sender.email.domain).days_old < 90
)
or any(headers.reply_to,
network.whois(.email.domain).days_old < 30
and .email.email != sender.email.email
)
)
)
// not solicited, nor ever communicated with
and (
not profile.by_sender_domain().solicited
or // reply-to is not in $recipient_emails
any(headers.reply_to, .email.email not in $recipient_emails)
)
and (
2 of (
// language attempting to engage
(
any(ml.nlu_classifier(coalesce(body.plain.raw, body.current_thread.text)).entities,
.name == "request"
)
and any(ml.nlu_classifier(coalesce(body.plain.raw,
body.current_thread.text
)
).entities,
.name == "financial"
)
),
// payment tag high confidence
any(ml.nlu_classifier(coalesce(body.plain.raw, body.current_thread.text)).tags,
.name == "payment" and .confidence == "high"
),
// invoicing language
any(ml.nlu_classifier(coalesce(body.plain.raw, body.current_thread.text)).tags,
.name == "invoice"
),
// urgency request
any(ml.nlu_classifier(coalesce(body.plain.raw, body.current_thread.text)).entities,
.name == "urgency"
)
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Impersonation: Suspected supplier impersonation with suspicious content"
description: "This rule detects supplier impersonation by checking for: similar linked domains to the sender, non-freemail senders using freemail infrastructure, sender domains less than 90 days old, unsolicited communication or no prior interaction with the reply-to address, and a suspicious body."
type: "rule"
severity: "high"
source: |
type.inbound
// a linked domain is similar but not the same as the sender domain
and any(body.links,
length(.href_url.domain.sld) > 3
and 0 < strings.levenshtein(.href_url.domain.sld,
sender.email.domain.sld
) <= 2
and not sender.email.domain.root_domain == "onmicrosoft.com"
// looking for lookalike domains above, typically the registrars won't match
and network.whois(sender.email.domain).registrar_name != network.whois(.href_url.domain
).registrar_name
// and one of the domains is less than 30 days old
and (
network.whois(sender.email.domain).days_old < 30
or network.whois(.href_url.domain).days_old < 30
)
)
// the sender is not a freemail, but the message or the in-reply-to indicates it traversed a freemail infrastructure, likely an auto forwarding rule. Or the sender or reply-to domain is new
and (
sender.email.domain.root_domain not in $free_email_providers
and (
any(headers.references,
any($free_email_providers, strings.contains(.., .))
and not strings.ends_with(., "outlook.com")
)
or (
any($free_email_providers,
strings.contains(headers.in_reply_to, .)
and not strings.ends_with(headers.in_reply_to, 'outlook.com')
)
// with the suspicious traversal tolerate 90 days
and network.whois(sender.email.domain).days_old < 90
)
or any(headers.reply_to,
network.whois(.email.domain).days_old < 30
and .email.email != sender.email.email
)
)
)
// not solicited, nor ever communicated with
and (
not profile.by_sender_domain().solicited
or // reply-to is not in $recipient_emails
any(headers.reply_to, .email.email not in $recipient_emails)
)
and (
2 of (
// language attempting to engage
(
any(ml.nlu_classifier(coalesce(body.plain.raw, body.current_thread.text)).entities,
.name == "request"
)
and any(ml.nlu_classifier(coalesce(body.plain.raw,
body.current_thread.text
)
).entities,
.name == "financial"
)
),
// payment tag high confidence
any(ml.nlu_classifier(coalesce(body.plain.raw, body.current_thread.text)).tags,
.name == "payment" and .confidence == "high"
),
// invoicing language
any(ml.nlu_classifier(coalesce(body.plain.raw, body.current_thread.text)).tags,
.name == "invoice"
),
// urgency request
any(ml.nlu_classifier(coalesce(body.plain.raw, body.current_thread.text)).entities,
.name == "urgency"
)
)
)
attack_types:
- "BEC/Fraud"
tactics_and_techniques:
- "Evasion"
- "Free email provider"
- "Lookalike domain"
- "Social engineering"
detection_methods:
- "Content analysis"
- "Header analysis"
- "Natural Language Understanding"
- "Sender analysis"
- "URL analysis"
- "Whois"
id: "63d8b1ce-7409-58d9-aa78-fffba12bba29"