heroui logo

VIP impersonation: Invoice fraud with mobile device sign-off

Sublime Rules

View Source
Summary
Detects inbound email messages that are part of a thread where a known VIP previously replied, identified by display name or email, and who is then silently removed from the current recipient list. The rule flags potential business email compromise (BEC) using invoice/payment lures where an attacker impersonates an internal executive, signs off in the thread with a mobile footer (for example, "Sent from my iPhone" or "Sent from my iPad"), and then asks recipients to take payment actions. It cross-references the current message text against ML-derived topics and tags related to financial communications (e.g., "Financial Communications", "Request to View Invoice", "invoice", "payment") with non-low confidence. The logic requires analysis of the inbound message body, the thread history, the sender, and recipients to determine VIP impersonation and suspicious context, combining content analysis with sender analysis to reduce false positives. This pattern aligns with social engineering and impersonation tactics used in fraud schemes, and is designed to trigger on suspicious invoice/payment requests that rely on VIP spoofing within a thread.
Categories
  • Web
  • Application
  • Identity Management
  • Other
Data Sources
  • Application Log
  • Network Traffic
Created: 2026-07-08