heroui logo

Impersonation: Suspected supplier impersonation with suspicious content

Sublime Rules

View Source
Summary
This detection rule aims to identify potential supplier impersonation attacks, particularly those related to business email compromise (BEC) and fraud. The rule checks various indicators to flag suspicious emails that could lead to unauthorized financial transactions. Key checks include analyzing sender domains for similarity to known suppliers, ensuring the sender's domain isn't a freemail provider while also checking for freemail indicators in the email's headers, and verifying the age of both the sender domain and related domains to detect newly registered lookalike domains. The rule also looks for unsolicited communications and examines the message content using natural language processing techniques to identify keywords and phrases related to requests and payment, ensuring that no prior interaction with the reply-to address exists. When two or more of these conditions are satisfied, the email is flagged as potentially malicious.
Categories
  • Endpoint
  • Cloud
  • Web
Data Sources
  • User Account
  • Web Credential
  • Network Traffic
  • Application Log
  • Process
Created: 2024-01-30