
Summary
This rule detects inbound messages that impersonate government or tax authorities (e.g., IRS, SSA, Department of Treasury) and contain suspicious document-related links. It triggers when the sender display name appears to mimic an authority and includes terms such as internal revenue, IRS, SSA, department of treasury, or similar phrases. It further looks for document lure links within the current thread where the link text suggests a download or official document (e.g., download, review document, official document). The rule flags links that point to low-reputation or free subdomains, or phishing-kit URLs that embed the impersonated organization’s name in the path. Credential theft intent is corroborated via an NLP classifier on the thread text, requiring a cred_theft intent with medium or high confidence. Trusted senders are excluded only if DMARC authentication fails on the message (i.e., not negating highly trusted domains when DMARC passes). The rule is categorized as Credential Phishing and uses impersonation, lookalike domains, and free subdomain hosting as key techniques, supported by sender/URL analysis, NLP, content analysis, and threat intelligence. It also cross-checks sender trust with DMARC status to minimize false positives.
Categories
- Network
- Web
Data Sources
- Network Traffic
- Domain Name
Created: 2026-07-15