VIP impersonation with invoicing request

name: "VIP impersonation with invoicing request"
description: "This rule detects emails attempting to impersonate a VIP, it leverages NLU to determine if there is invoicing verbiage in the current thread, and requires request language."
type: "rule"
severity: "high"
source: |
  type.inbound
  and any($org_vips, strings.contains(sender.display_name, .display_name))
  and (
    (
      sender.email.domain.domain in $org_domains
      // X-headers indicate external sender
      and headers.x_authenticated_sender.email != sender.email.email
      and headers.x_authenticated_domain.domain not in $org_domains
    )
    or sender.email.domain.domain not in $org_domains
  )
  
  // Invoice Language with a request
  and (
    any(ml.nlu_classifier(body.current_thread.text).tags,
        .name == "invoice"
        and .confidence in ("medium", "high")
        and any(ml.nlu_classifier(body.current_thread.text).entities,
                .name == "request"
        )
    )
  )
  
  // and the reply to email address has never been contacted  
  and any(headers.reply_to, .email.email not in $recipient_emails)
  
  // negate highly trusted sender domains unless they fail DMARC authentication
  and (
    (
      sender.email.domain.root_domain in $high_trust_sender_root_domains
      and not headers.auth_summary.dmarc.pass
    )
    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
  )
  
attack_types:
  - "BEC/Fraud"
tactics_and_techniques:
  - "Impersonation: VIP"
detection_methods:
  - "Content analysis"
  - "Header analysis"
  - "Natural Language Understanding"

id: "a60f89a0-6cd0-5c2d-96de-8800380df407"