
Summary
This rule detects VIP payment-handling impersonation attempts in inbound email threads. It looks for external senders who target a single internal recipient after a VIP previously directed that party to handle invoice or payment correspondence. The detector requires a prior thread authored by the VIP (or showing VIP-related identifiers) with invoice/payment context (via NLU classifiers identifying terms like invoice, payment, or related topics such as “Request to View Invoice” or “Payment Information”). It then flags follow-up messages from an external sender who is not accompanied by the VIP, and where the live recipient matches the payee name and domain, while the external sender is outside the org’s domains. The rule enforces exact one internal org-domain recipient (the payee) and excludes auto-replies or messages where the VIP is present in the live thread. It also analyzes the message text for payment-handoff language (e.g., forwarding to accounts payable, directing payment to a specified recipient) and uses header/sender analysis to verify origin and intent. When matched, the pattern indicates a potential Business Email Compromise (BEC) targeting the payment handoff and is categorized under VIP impersonation and social engineering with a high severity. The detection relies on content analysis, natural language understanding, sender/recipient identity checks, and header scrutiny to reduce false positives from legitimate handoffs.
Categories
- Endpoint
- Application
Data Sources
- Process
Created: 2026-07-09