You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
name: "VIP / Executive impersonation in subject (untrusted)"
2
+
description: |
3
+
Sender subject contains the display name of a user in the $org_vips list, and the sender has never been seen before.
4
+
5
+
The $org_vips list must first be manually connected to a VIP group of your upstream provider (Google Workspace and Microsoft 365 only) in order for this rule to work.
6
+
Once connected, the list will be automatically synced and kept up-to-date. For more information, see the $org_vips documentation: https://docs.sublimesecurity.com/docs/configure-org_vips-list
7
+
8
+
This rule is recommended to be used on a relatively small list of VIPs, and is meant to reduce attack surface by detecting *any* message that matches the protected list of display names from a first-time or unsolicited sender.
9
+
10
+
Additional rule logic can be added to look for suspicious subjects, suspicious links, etc.
11
+
type: "rule"
12
+
severity: "medium"
13
+
source: |
14
+
type.inbound
15
+
and any($org_vips,
16
+
strings.contains(subject.subject, .display_name)
17
+
and strings.contains(.display_name, " ")
18
+
)
19
+
// not being sent to said VIP
20
+
and not (
21
+
(
22
+
length(recipients.to) == 1
23
+
and all(recipients.to,
24
+
any($org_vips,
25
+
.email == ..email.email
26
+
and strings.contains(subject.subject, .display_name)
27
+
and strings.contains(.display_name, " ")
28
+
)
29
+
)
30
+
)
31
+
)
32
+
and (
33
+
// ignore personal <> work emails
34
+
// where the sender and mailbox's display name are the same
35
+
length(recipients.to) > 0
36
+
or length(recipients.cc) > 0
37
+
or sender.display_name != mailbox.display_name
38
+
)
39
+
// bounce-back negations
40
+
and not strings.like(sender.email.local_part,
41
+
"*postmaster*",
42
+
"*mailer-daemon*",
43
+
"*administrator*"
44
+
)
45
+
and not any(attachments,
46
+
.content_type in (
47
+
"message/rfc822",
48
+
"message/delivery-status",
49
+
"text/calendar"
50
+
)
51
+
)
52
+
and (
53
+
(
54
+
profile.by_sender().prevalence in ("new", "outlier")
0 commit comments