heroui logo

Benefits Enrollment Impersonation

Sublime Rules

View Source
Summary
The 'Benefits Enrollment Impersonation' detection rule is designed to catch potentially malicious emails that attempt to impersonate legitimate HR communications related to benefits enrollment. It looks for messages from external senders that contain certain keywords and phrases associated with benefits enrollment, especially when paired with urgent language asking for action. The rule carefully excludes legitimate communications by checking against known trusted sender domains, and it utilizes multiple layers of filtering including content, header, and sender analysis to minimize false positives. It also considers the nature of the attachments in the emails, specifically targeting those that may contain malicious content. Additional filters ensure that it does not falsely flag common marketing communications or previously approved legitimate sender domains. The rule focuses on detecting impersonation tactics via social engineering and phishing attempts related to employee benefits and applies high-severity ratings due to the sensitive nature of the data involved in benefits enrollment.
Categories
  • Endpoint
  • Cloud
  • Web
  • Application
Data Sources
  • User Account
  • Web Credential
  • Network Traffic
  • Application Log
  • Process
Created: 2025-01-30