diff --git a/detection-rules/vip_impersonation_fake_thread_with_invoice_handoff.yml b/detection-rules/vip_impersonation_fake_thread_with_invoice_handoff.yml new file mode 100644 index 00000000000..2585359b916 --- /dev/null +++ b/detection-rules/vip_impersonation_fake_thread_with_invoice_handoff.yml @@ -0,0 +1,74 @@ +name: "VIP impersonation: VIP payment redirect handoff via fake threads" +description: "Detects inbound messages where an external sender, absent from the original conversation, targets a single internal recipient after a VIP previously instructed that party to handle invoice or payment correspondence. The rule identifies prior threads where a known VIP explicitly redirected billing or payment contact to an internal address — using language such as forwarding instructions, accounts payable references, or billing handoff phrasing — and flags follow-up messages from external senders who are no longer accompanied by the VIP. NLU classifiers confirm financial context in the prior thread. This pattern is consistent with adversaries monitoring or fabricating invoice-related threads to insert themselves at the point of payment handoff." +type: "rule" +severity: "high" +source: | + type.inbound + and any(map(filter(body.previous_threads, + // VIP authored the segment: display_name OR real email (OR, not AND -- the actor guesses + // the exec's address, so a fabricated From: is often the wrong format at the right org). + any($org_vips, + strings.icontains(..sender.display_name, .display_name) + or ( + .email != "" + and strings.icontains(..sender.email.email, .email) + ) + ) + // skip auto-replies; coalesce the null on subject-less segments before `not`. + and not coalesce(.subject.is_auto_reply, false) + // the live recipient is the payee the VIP names, at an org domain. + and any(recipients.to, + .email.email != ..sender.email.email + and .email.domain.root_domain in $org_domains + and strings.icontains(..text, .email.email) + ) + // payment "handoff" phrasing. + and regex.icontains(.text, + 'accounts? payable', + '(?:forward|send|rout|direct|remit|submit|issue) it (?:directly )?to', + '(?:forward|send|direct|remit|submit|route) (?:the |all |related )?(?:invoice|correspondence|payment|billing)', + 'for payment processing,? please contact', + '(?:please )?direct (?:it|all|the)[^\n]{0,60}\bto\b', + '(?:as follows|provided below|find below|details are|contact is)[^\n]{0,10}:', + 'billing (?:contact|correspondence|team|department)' + ) + ), + .sender.email.email + ), + . != "" + // the VIP is no longer present in the live message. + and not strings.icontains(sender.email.email, .) + and not any(flatten([recipients.to, recipients.cc, recipients.bcc]), + strings.icontains(.email.email, ..) + ) + // any previous thread authored by the "VIP" has invoice/payment + and any(filter(body.previous_threads, .sender.email.email == ..), + any(ml.nlu_classifier(.text, subject=.subject.base).tags, + .name in ("invoice", "payment") and .confidence != "low" + ) + or any(ml.nlu_classifier(.text, subject=.subject.base).topics, + .name in ( + "Request to View Invoice", + "Payment Information" + ) + and .confidence != "low" + ) + ) + ) + // exactly one org-domain recipient (the payee); external sender. + and length(filter(flatten([recipients.to, recipients.cc, recipients.bcc]), + .email.domain.root_domain in $org_domains + ) + ) == 1 + and not sender.email.domain.root_domain in $org_domains +attack_types: + - "BEC/Fraud" +tactics_and_techniques: + - "Impersonation: VIP" + - "Social engineering" +detection_methods: + - "Content analysis" + - "Natural Language Understanding" + - "Sender analysis" + - "Header analysis" +id: "215b8849-c7b5-577c-844f-be0e0dfc9116"