EXPLORE
Sign In
← Back to Explore
sublimehighRule

Fake request for tax preparation

Unknown sender requesting assistance with tax preparation. This is associated with known threat actor activity, TA576.

MITRE ATT&CK

T1566.002T1534T1656T1566.001T1204.002T1486T1566T1598
initial-access

Detection Query

type.inbound
and length(body.current_thread.text) < 1250
and any(beta.ml_topic(body.current_thread.text).topics,
        .name == "Financial Communications"
)
// there are no links, all the links are to aka.ms, or an extraction from a warning banner that match the senders domain
and (
  length(body.links) == 0
  or length(filter(body.links,
                   (
                     .display_text is null
                     and .display_url.url == sender.email.domain.root_domain
                   )
                   or .href_url.domain.domain == "aka.ms"
                   or network.whois(.display_url.domain).days_old < 30
            )
  ) == length(body.links)
)
and length(attachments) == 0
and (strings.ilike(subject.subject, "*tax*") or length(subject.subject) < 15)
and strings.icontains(body.current_thread.text, "tax")
and (
  strings.like(body.current_thread.text,
               "*return*",
               "*record*",
               "*CPA*",
               "*filing*",
               "*extension*"
  )
  or strings.ilike(body.current_thread.text,
                   "*tax preparer*",
                   "*tax*processing*"
  )
)
and (
  strings.ilike(body.current_thread.text,
                "*necessary documents*",
                "*required documents*",
                "*paperwork*",
                "*in search of*",
                "*tax service*",
                "*professional help*",
                "*prepare*tax return*",
                "*service*tax return*",
                "*seeking*tax preparer*",
                "*assist*processing*tax*",
                "*schedule*call*",
                "*zoom meeting*",
                "*discuss*fees*",
                "*W2*",
                "*CPA*"
  )
  // suspicious patterns
  or (
    strings.icontains(body.current_thread.text, sender.display_name)
    and 2 of (
      (
        length(headers.reply_to) > 0
        and all(headers.reply_to,
                .email.domain.root_domain != sender.email.domain.root_domain
        )
      ),
      (
        headers.return_path.email is not null
        and headers.return_path.email != sender.email.email
      ),
      headers.return_path.domain.root_domain in ("amazonses.com")
    )
  )
)
and (
  (
    profile.by_sender().prevalence in ("new", "outlier")
    and not profile.by_sender().solicited
  )
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_messages_benign
  )
)
and not profile.by_sender().any_messages_benign

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Fake request for tax preparation"
description: "Unknown sender requesting assistance with tax preparation. This is associated with known threat actor activity, TA576."
type: "rule"
severity: "high"
source: |
  type.inbound
  and length(body.current_thread.text) < 1250
  and any(beta.ml_topic(body.current_thread.text).topics,
          .name == "Financial Communications"
  )
  // there are no links, all the links are to aka.ms, or an extraction from a warning banner that match the senders domain
  and (
    length(body.links) == 0
    or length(filter(body.links,
                     (
                       .display_text is null
                       and .display_url.url == sender.email.domain.root_domain
                     )
                     or .href_url.domain.domain == "aka.ms"
                     or network.whois(.display_url.domain).days_old < 30
              )
    ) == length(body.links)
  )
  and length(attachments) == 0
  and (strings.ilike(subject.subject, "*tax*") or length(subject.subject) < 15)
  and strings.icontains(body.current_thread.text, "tax")
  and (
    strings.like(body.current_thread.text,
                 "*return*",
                 "*record*",
                 "*CPA*",
                 "*filing*",
                 "*extension*"
    )
    or strings.ilike(body.current_thread.text,
                     "*tax preparer*",
                     "*tax*processing*"
    )
  )
  and (
    strings.ilike(body.current_thread.text,
                  "*necessary documents*",
                  "*required documents*",
                  "*paperwork*",
                  "*in search of*",
                  "*tax service*",
                  "*professional help*",
                  "*prepare*tax return*",
                  "*service*tax return*",
                  "*seeking*tax preparer*",
                  "*assist*processing*tax*",
                  "*schedule*call*",
                  "*zoom meeting*",
                  "*discuss*fees*",
                  "*W2*",
                  "*CPA*"
    )
    // suspicious patterns
    or (
      strings.icontains(body.current_thread.text, sender.display_name)
      and 2 of (
        (
          length(headers.reply_to) > 0
          and all(headers.reply_to,
                  .email.domain.root_domain != sender.email.domain.root_domain
          )
        ),
        (
          headers.return_path.email is not null
          and headers.return_path.email != sender.email.email
        ),
        headers.return_path.domain.root_domain in ("amazonses.com")
      )
    )
  )
  and (
    (
      profile.by_sender().prevalence in ("new", "outlier")
      and not profile.by_sender().solicited
    )
    or (
      profile.by_sender().any_messages_malicious_or_spam
      and not profile.by_sender().any_messages_benign
    )
  )
  and not profile.by_sender().any_messages_benign
attack_types:
  - "BEC/Fraud"
  - "Malware/Ransomware"
tactics_and_techniques:
  - "Social engineering"
detection_methods:
  - "Content analysis"
  - "Natural Language Understanding"
  - "Sender analysis"
id: "e36b85b3-ffc6-5d73-b865-7dbdf9b4b1a0"