[PR #3078] changed rule: VIP / Executive impersonation in subject (untrusted)

github-actions[bot] · github-actions[bot] · commit c5e721c21cba · 2025-08-13T20:46:08.000Z
diff --git a/detection-rules/3078_vip_impersonation_subject.yml b/detection-rules/3078_vip_impersonation_subject.yml
@@ -0,0 +1,93 @@
+name: "VIP / Executive impersonation in subject (untrusted)"
+description: |
+  Sender subject contains the display name of a user in the $org_vips list, and the sender has never been seen before.
+  
+  The $org_vips list must first be manually connected to a VIP group of your upstream provider (Google Workspace and Microsoft 365 only) in order for this rule to work.
+  Once connected, the list will be automatically synced and kept up-to-date. For more information, see the $org_vips documentation: https://docs.sublimesecurity.com/docs/configure-org_vips-list
+  
+  This rule is recommended to be used on a relatively small list of VIPs, and is meant to reduce attack surface by detecting *any* message that matches the protected list of display names from a first-time or unsolicited sender.
+  
+  Additional rule logic can be added to look for suspicious subjects, suspicious links, etc.
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and any($org_vips,
+          strings.contains(subject.subject, .display_name)
+          and strings.contains(.display_name, " ")
+  )
+  // not being sent to said VIP
+  and not (
+    (
+      length(recipients.to) == 1
+      and all(recipients.to,
+              any($org_vips,
+                  .email == ..email.email
+                  and strings.contains(subject.subject, .display_name)
+                  and strings.contains(.display_name, " ")
+              )
+      )
+    )
+  )
+  and (
+    // ignore personal <> work emails
+    // where the sender and mailbox's display name are the same
+    length(recipients.to) > 0
+    or length(recipients.cc) > 0
+    or sender.display_name != mailbox.display_name
+  )
+  // bounce-back negations
+  and not strings.like(sender.email.local_part,
+                       "*postmaster*",
+                       "*mailer-daemon*",
+                       "*administrator*"
+  )
+  and not any(attachments,
+              .content_type in (
+                "message/rfc822",
+                "message/delivery-status",
+                "text/calendar"
+              )
+  )
+  and (
+    (
+      profile.by_sender().prevalence in ("new", "outlier")
+      and not profile.by_sender().solicited
+    )
+    or (
+      profile.by_sender().any_messages_malicious_or_spam
+      and not profile.by_sender().any_messages_benign
+    )
+  )
+  
+  // negate org domains unless they fail DMARC authentication
+  and (
+    (
+      sender.email.domain.root_domain in $org_domains
+      and not headers.auth_summary.dmarc.pass
+    )
+    or sender.email.domain.root_domain not in $org_domains
+  )
+  
+  // negate highly trusted sender domains unless they fail DMARC authentication
+  and (
+    (
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
+      and not headers.auth_summary.dmarc.pass
+    )
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
+  )
+
+tags:
+  - "Attack surface reduction"
+attack_types:
+  - "BEC/Fraud"
+tactics_and_techniques:
+  - "Impersonation: VIP"
+detection_methods:
+  - "Header analysis"
+  - "Sender analysis"
+id: "d1619566-88b0-517e-9da4-e069be71eba5"
+og_id: "0a641fe5-70b9-5f4e-9c34-0d70eac11fae"
+testing_pr: 3078
+testing_sha: ea150687d7b17819ebff1a6b7814feaca394829a
