← Back to Explore
sublimehighRule
BEC: Employee impersonation with subject manipulation
Subject matches the display name of someone in your organization, and the body resembles a BEC attack.
Detection Query
type.inbound
// attacks have been observed where the impersonation is
// in the subject, and the display name contains what a
// subject typically would contain. this is an attempt to
// bypass impersonation detections
and subject.base in~ $org_display_names
and any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "bec" and .confidence in ("medium", "high")
)
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "BEC: Employee impersonation with subject manipulation"
description: |
Subject matches the display name of someone in your organization, and the body resembles a BEC attack.
type: "rule"
severity: "high"
source: |
type.inbound
// attacks have been observed where the impersonation is
// in the subject, and the display name contains what a
// subject typically would contain. this is an attempt to
// bypass impersonation detections
and subject.base in~ $org_display_names
and any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "bec" and .confidence in ("medium", "high")
)
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
attack_types:
- "BEC/Fraud"
tactics_and_techniques:
- "Impersonation: Employee"
- "Social engineering"
detection_methods:
- "Content analysis"
- "Natural Language Understanding"
- "Sender analysis"
id: "9adfc77b-cabe-5ef8-b1ed-6ad5d682447f"