← Back to Explore
sublimehighRule
Impersonation: Executive using numbered local part
Detects messages from free email providers where the sender's email address uses a pattern commonly associated with executive impersonation, containing 'chair' or 'ceo' followed by numbers in the local part.
Detection Query
type.inbound
and sender.email.domain.domain in $free_email_providers
and regex.icontains(sender.email.local_part, '^c(?:hair|eo)\d+')
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Impersonation: Executive using numbered local part"
description: "Detects messages from free email providers where the sender's email address uses a pattern commonly associated with executive impersonation, containing 'chair' or 'ceo' followed by numbers in the local part."
type: "rule"
severity: "high"
source: |
type.inbound
and sender.email.domain.domain in $free_email_providers
and regex.icontains(sender.email.local_part, '^c(?:hair|eo)\d+')
attack_types:
- "BEC/Fraud"
tactics_and_techniques:
- "Free email provider"
- "Impersonation: VIP"
- "Social engineering"
detection_methods:
- "Header analysis"
- "Sender analysis"
id: "8e005a22-5946-5614-a77d-89cef4ee754a"