
Summary
This rule serves to detect potential Business Email Compromise (BEC) attacks by identifying emails from untrusted senders that use a sender display name closely matching a name in the organization's VIP list. The detection mechanism employs a near match algorithm to evaluate the similarity between the sender's display name and those listed in the $org_vips variable. If the Levenshtein distance between the sender's display name and a VIP's display name is less than 4, it considers it a match. Additionally, the rule assesses the content of the email body using a Natural Language Understanding (NLU) classifier to search for relevant BEC intents with medium to high confidence levels. The sender's profile is analyzed to ensure that the email is not from a common or solicited source and checks for any history of malicious or spam messages. The rule also includes exceptions for notifications from SharePoint and trusted sender domains, only triggering if those domains fail DMARC authentication. This multifaceted approach helps mitigate false positives while providing robust monitoring for targeted impersonation attacks against VIPs.
Categories
- Identity Management
- Endpoint
- Cloud
- Application
- Web
Data Sources
- User Account
- Process
- Network Traffic
- Application Log
- Web Credential
Created: 2025-05-30