
Summary
This rule detects inbound messages designed to impersonate organizational VIPs by leveraging forged thread histories. It requires at least two prior threads in the message context and analyzes the oldest two threads to determine if they discuss invoices or payments (via NLP classifier tags such as "invoice"/"payment" or topics like "Request to View Invoice" / "Payment Information" with non-low confidence). Both of the two oldest threads must have one or fewer recipients (often indicating missing or manipulated headers), and at least one party in those threads must have a missing email address. The detection then looks for VIP involvement by matching VIP display names between the two oldest threads (one thread's recipient or sender matching the VIP and the other thread referencing the VIP). Crucially, the VIP must be absent from the current message's recipients, suggesting the VIP’s name is used to establish legitimacy while routing the live message away from their oversight. The rule further excludes legitimate senders by ensuring the sender domain is not in the organization’s approved domains or that DMARC alignment does not pass. Matched scenarios include executive-related invoice, payment, or advisory billing lures targeting named executives. The rule is classified as high severity (BEC/Fraud) and uses detection methods such as NLP-based content analysis, header analysis, and sender/recipient identity checks to detect staged thread histories and VIP impersonation.
Categories
- Web
- Application
- Identity Management
Data Sources
- Application Log
Created: 2026-07-14