heroui logo

VIP impersonation: VIP recipient of previous thread with HTML generator

Sublime Rules

View Source
Summary
Detects inbound messages that impersonate organizational VIPs within invoice-themed outreach, focusing on threads that already involve VIP recipients. The rule triggers when a message is part of a prior thread whose recipients include known VIPs (matched by display name or email) and the HTML body contains indicators of a templated HTML lure: either the literal string "Advanced HTML parser" is present in body.html.raw or the HTML contains a title tag matching <title>HTML Message</title> (with possible whitespace). These artifacts are commonly left by tooling that crafts or obfuscates invoice-related phishing content. The rule is aimed at high-severity BEC/fraud campaigns and uses HTML analysis, content analysis, and sender analysis to detect suspicious activity. It is designed for inbound message contexts such as webmail/application gateways. Potential false positives may arise if legitimate communications reuse similar templates or if VIP lists are incomplete; attackers may also adapt by omitting known markers. Recommendations include keeping VIP lists current, expanding detection markers, and correlating with sender authentication signals (DKIM/SPF) and thread-level context for stronger accuracy.
Categories
  • Web
  • Application
  • Identity Management
Data Sources
  • Process
  • Application Log
Created: 2026-07-07