EXPLORE
← Back to Explore
sublimemediumRule

Impersonation: Employee name in subject with suspicious sender

Detects inbound messages where the sender is using a free email provider and their display name matches an known organizational display name. The sender's local part contains common organizational role keywords (mail, office, staff, executive), and the subject line matches the recipient's first name or display name, suggesting a targeted impersonation of an internal employee or executive.

MITRE ATT&CK

initial-access

Detection Query

type.inbound
// suspicious local part
and strings.contains(sender.email.local_part,
                     'mail',
                     'office',
                     'staff',
                     'executive'
)
and (mailbox.first_name == subject.base or mailbox.display_name == subject.base)
and strings.contains(sender.display_name, " ")
and sender.display_name in~ $org_display_names
and sender.email.domain.root_domain in $free_email_providers

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Impersonation: Employee name in subject with suspicious sender"
description: "Detects inbound messages where the sender is using a free email provider and their display name matches an known organizational display name. The sender's local part contains common organizational role keywords (mail, office, staff, executive), and the subject line matches the recipient's first name or display name, suggesting a targeted impersonation of an internal employee or executive."
type: "rule"
severity: "medium"
source: |
  type.inbound
  // suspicious local part
  and strings.contains(sender.email.local_part,
                       'mail',
                       'office',
                       'staff',
                       'executive'
  )
  and (mailbox.first_name == subject.base or mailbox.display_name == subject.base)
  and strings.contains(sender.display_name, " ")
  and sender.display_name in~ $org_display_names
  and sender.email.domain.root_domain in $free_email_providers
attack_types:
  - "BEC/Fraud"
tactics_and_techniques:
  - "Impersonation: Employee"
  - "Impersonation: VIP"
  - "Free email provider"
  - "Social engineering"
  - "Spoofing"
detection_methods:
  - "Sender analysis"
  - "Content analysis"
id: "bb0e78cc-e529-5bcc-b4af-524446e2c2ea"