
VIP impersonation: Fake forwarded indicator with VIP recipient impersonation
Sublime Rules
View SourceSummary
This rule detects inbound email messages that attempt to impersonate organizational VIPs by fabricating a forwarded-thread scenario. It targets short inbound messages (less than 6,000 characters) and looks for patterns indicative of a forwarded email chain, including subtle variations of the phrase “message that has been forwarded” and related header formatting. The detection logic requires that either the current thread or any previous threads exhibit a forwarded-message pattern (excluding a specific literal header), suggesting an attempt to create the appearance of an internal executive communication. To escalate the impersonation, the rule then checks whether any earlier thread was addressed to VIP recipients by name or email, using a VIP list (.org_vips) and matching on display_name or email fields. If a prior thread was sent to a VIP and the current or earlier thread contains a forged “forwarded” thread, the rule attributes the activity to a BEC/Fraud scenario involving VIP impersonation, social engineering, and evasion techniques. The rule uses content analysis (string matching and regex) to detect forwarded-thread indicators and sender analysis to tie activity to VIP recipients. This combination reduces false positives by requiring both the forwarded-thread pattern and VIP recipient targeting, and it leverages short message content to focus on likely spoof attempts rather than lengthy, legitimate threads.
Categories
- Application
Data Sources
- Network Traffic
Created: 2026-07-08