EXPLORE
← Back to Explore
sublimemediumRule

Brand impersonation: Government / Tax Authority document lure

Detects messages impersonating government and tax authorities (such as the IRS, SSA, Department of Treasury, and similar agencies) that contain suspicious document-related links. The rule identifies either download calls-to-action pointing to low-reputation or free subdomain hosts, or phishing-kit URLs that embed the impersonated organization's name in the path. Credential theft intent is confirmed via NLP analysis, and trusted sender domains are only flagged when DMARC authentication fails.

Detection Query

type.inbound
// impersonates a named government / tax / benefits authority in the sender display name
and regex.icontains(strings.replace_confusables(sender.display_name),
                    'internal revenue|\bIRS\b|social security|\bSSA\b|medicaid|medicare|department of (?:health|revenue|treasur|state|labor|justice|homeland)|ministry of finance|income tax (?:department|dept)|department of the treasury|u\.?s\.? treasury'
)
// a document lure link that is either a download cta to a low-rep host
and any(body.current_thread.links,
        regex.icontains(.display_text,
                        'download|response form|review document|official document|statement'
        )
        and (
          .href_url.domain.root_domain not in $tranco_1m
          or .href_url.domain.root_domain in $url_shorteners
          or (
            .href_url.domain.subdomain is not null
            and .href_url.domain.subdomain != "www"
            and .href_url.domain.root_domain in $free_subdomain_hosts
          )
        )
)
and any(ml.nlu_classifier(body.current_thread.text).intents,
        .name == "cred_theft" and .confidence in ("medium", "high")
)
// negate highly trusted sender domains unless they fail DMARC authentication
and not (
  sender.email.domain.root_domain in $high_trust_sender_root_domains
  and coalesce(headers.auth_summary.dmarc.pass, false)
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Brand impersonation: Government / Tax Authority document lure"
description: "Detects messages impersonating government and tax authorities (such as the IRS, SSA, Department of Treasury, and similar agencies) that contain suspicious document-related links. The rule identifies either download calls-to-action pointing to low-reputation or free subdomain hosts, or phishing-kit URLs that embed the impersonated organization's name in the path. Credential theft intent is confirmed via NLP analysis, and trusted sender domains are only flagged when DMARC authentication fails."
type: "rule"
severity: "medium"
source: |
  type.inbound
  // impersonates a named government / tax / benefits authority in the sender display name
  and regex.icontains(strings.replace_confusables(sender.display_name),
                      'internal revenue|\bIRS\b|social security|\bSSA\b|medicaid|medicare|department of (?:health|revenue|treasur|state|labor|justice|homeland)|ministry of finance|income tax (?:department|dept)|department of the treasury|u\.?s\.? treasury'
  )
  // a document lure link that is either a download cta to a low-rep host
  and any(body.current_thread.links,
          regex.icontains(.display_text,
                          'download|response form|review document|official document|statement'
          )
          and (
            .href_url.domain.root_domain not in $tranco_1m
            or .href_url.domain.root_domain in $url_shorteners
            or (
              .href_url.domain.subdomain is not null
              and .href_url.domain.subdomain != "www"
              and .href_url.domain.root_domain in $free_subdomain_hosts
            )
          )
  )
  and any(ml.nlu_classifier(body.current_thread.text).intents,
          .name == "cred_theft" and .confidence in ("medium", "high")
  )
  // negate highly trusted sender domains unless they fail DMARC authentication
  and not (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and coalesce(headers.auth_summary.dmarc.pass, false)
  )
  
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Impersonation: Brand"
  - "Free subdomain host"
  - "Social engineering"
  - "Lookalike domain"
detection_methods:
  - "Sender analysis"
  - "URL analysis"
  - "Natural Language Understanding"
  - "Content analysis"
  - "Threat intelligence"
id: "9e322cf8-a80b-5c59-b07a-af58e2753502"