VIP impersonation with w2 request with reply-to mismatch

name: "VIP impersonation with w2 request with reply-to mismatch"
description: "This rule detects emails attempting to impersonate a VIP requesting a W-2 with a reply-to mismatch."
type: "rule"
severity: "high"
source: |
  type.inbound
  and (
    any($org_vips, strings.contains(sender.display_name, .display_name))
    or any(regex.extract(sender.display_name, '^(?<first>\S+)\s+(?<second>\S+)$'),
           any($org_vips,
               strings.contains(.display_name, ..named_groups["first"])
               and strings.contains(.display_name, ..named_groups["second"])
           )
    )
  )
  and not (
    sender.email.domain.domain in $org_domains
    and coalesce(headers.auth_summary.dmarc.pass, false)
  )
  
  // W-2 Language with a request
  and (
    strings.contains(strings.replace_confusables(subject.base), 'W-2')
    or strings.icontains(subject.base, 'w2')
    or strings.icontains(subject.base, 'wage')
    or strings.icontains(subject.base, 'tax form')
    or strings.icontains(subject.base, 'irs')
  )
  and strings.contains(body.current_thread.text, 'W-2')
  and any(ml.nlu_classifier(body.current_thread.text).entities,
          .name == "request"
  )
  
  // different reply-to address
  and length(headers.reply_to) > 0
  and sender.email.email not in map(headers.reply_to, .email.email)
  
  // negate highly trusted sender domains unless they fail DMARC authentication
  and not (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and coalesce(headers.auth_summary.dmarc.pass, false)
  )
attack_types:
  - "BEC/Fraud"
tactics_and_techniques:
  - "Impersonation: VIP"
detection_methods:
  - "Content analysis"
  - "Header analysis"
  - "Natural Language Understanding"
id: "e7e73fad-6ce6-51f9-9b52-40eaef71f5a1"