impersonation_vip_urgent_request.yml

name: "VIP impersonation with urgent request (first-time sender)"
description: |
    Sender is using a display name that matches the display name of someone in your $org_vips list.

    Detects potential Business Email Compromise (BEC) attacks by analyzing text within email body first-time senders.
type: "rule"
severity: "high"
source: |
  type.inbound

  and any($org_vips, .display_name == sender.display_name)

  and any([body.plain.raw, body.html.inner_text], 
    any(ml.nlu_classifier(.).intents,
      .name == "bec" and .confidence == "high"
    )
    or (
      any(ml.nlu_classifier(.).entities, .name == "urgency")
      and any(ml.nlu_classifier(.).entities, .name == "request")
    )
  )

  // first-time sender
  and (
          (
              sender.email.domain.root_domain in $free_email_providers
              and sender.email.email not in $sender_emails
          )
          or (
              sender.email.domain.root_domain not in $free_email_providers
              and sender.email.domain.domain not in $sender_domains
          )
  )
tags:
  - "VIP impersonation"
  - "Executive impersonation"
  - "Suspicious sender"
  - "Machine Learning"
  - "Natural Language Understanding"