-
Notifications
You must be signed in to change notification settings - Fork 46
/
impersonation_vip_urgent_request.yml
39 lines (35 loc) · 1.18 KB
/
impersonation_vip_urgent_request.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
name: "VIP impersonation with urgent request (first-time sender)"
description: |
Sender is using a display name that matches the display name of someone in your $org_vips list.
Detects potential Business Email Compromise (BEC) attacks by analyzing text within email body first-time senders.
type: "rule"
severity: "high"
source: |
type.inbound
and any($org_vips, .display_name == sender.display_name)
and any([body.plain.raw, body.html.inner_text],
any(ml.nlu_classifier(.).intents,
.name == "bec" and .confidence == "high"
)
or (
any(ml.nlu_classifier(.).entities, .name == "urgency")
and any(ml.nlu_classifier(.).entities, .name == "request")
)
)
// first-time sender
and (
(
sender.email.domain.root_domain in $free_email_providers
and sender.email.email not in $sender_emails
)
or (
sender.email.domain.root_domain not in $free_email_providers
and sender.email.domain.domain not in $sender_domains
)
)
tags:
- "VIP impersonation"
- "Executive impersonation"
- "Suspicious sender"
- "Machine Learning"
- "Natural Language Understanding"