← Back to Explore
sublimemediumRule
Brand impersonation: Canada Revenue Agency
Detects messages impersonating the Canada Revenue Agency (CRA) in English or French that contain credential theft indicators. The rule identifies senders claiming to be CRA through display names or subject line references, uses natural language understanding to detect credential theft intent, and excludes legitimate senders with proper authentication.
Detection Query
type.inbound
// sender claims to be CRA
and (
strings.icontains(sender.display_name, 'canada revenue agency')
or strings.icontains(sender.display_name, 'agence du revenu du canada')
or (
// cra display name and cra reference in subject
regex.icontains(sender.display_name, '\bcra\b')
and regex.icontains(subject.base,
'(?:T4|cra|tax|canada revenue|revenu du canada)'
)
)
)
// nlu cred theft
and any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence != 'low'
)
and not (
(
// negate highly trusted sender domains
sender.email.domain.root_domain in $high_trust_sender_root_domains
// negate legit senders from merck
or sender.email.domain.root_domain == "cra-arc.gc.ca"
)
// enforce auth
and coalesce(headers.auth_summary.dmarc.pass, false)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Brand impersonation: Canada Revenue Agency"
description: "Detects messages impersonating the Canada Revenue Agency (CRA) in English or French that contain credential theft indicators. The rule identifies senders claiming to be CRA through display names or subject line references, uses natural language understanding to detect credential theft intent, and excludes legitimate senders with proper authentication."
type: "rule"
severity: "medium"
source: |
type.inbound
// sender claims to be CRA
and (
strings.icontains(sender.display_name, 'canada revenue agency')
or strings.icontains(sender.display_name, 'agence du revenu du canada')
or (
// cra display name and cra reference in subject
regex.icontains(sender.display_name, '\bcra\b')
and regex.icontains(subject.base,
'(?:T4|cra|tax|canada revenue|revenu du canada)'
)
)
)
// nlu cred theft
and any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence != 'low'
)
and not (
(
// negate highly trusted sender domains
sender.email.domain.root_domain in $high_trust_sender_root_domains
// negate legit senders from merck
or sender.email.domain.root_domain == "cra-arc.gc.ca"
)
// enforce auth
and coalesce(headers.auth_summary.dmarc.pass, false)
)
attack_types:
- "BEC/Fraud"
- "Credential Phishing"
tactics_and_techniques:
- "Impersonation: Brand"
- "Social engineering"
detection_methods:
- "Content analysis"
- "Header analysis"
- "Sender analysis"
id: "72607c4c-52dc-5df6-b547-54ee321b7a7a"