From 5b2846bc019f16b77fad6e19fc83b0155e50c455 Mon Sep 17 00:00:00 2001 From: ben-sublime Date: Wed, 13 Aug 2025 15:21:17 -0500 Subject: [PATCH 1/2] Create impersonation_social_security_admin.yml --- .../impersonation_social_security_admin.yml | 42 +++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 detection-rules/impersonation_social_security_admin.yml diff --git a/detection-rules/impersonation_social_security_admin.yml b/detection-rules/impersonation_social_security_admin.yml new file mode 100644 index 00000000000..1a4f181fae0 --- /dev/null +++ b/detection-rules/impersonation_social_security_admin.yml @@ -0,0 +1,42 @@ +name: "Impersonation: Social Security Administration with secure message language" +description: "Detects messages impersonating the Social Security Administration (SSA) that contain links and use legitimate SSA terminology like 'Secure Message' or 'SSA Statement Viewer', but are sent from non-government domains by unsolicited or suspicious senders." +type: "rule" +severity: "medium" +source: | + type.inbound + and ( + not profile.by_sender().solicited + or ( + profile.by_sender().any_messages_malicious_or_spam + and not profile.by_sender().any_messages_benign + ) + ) + // Identifies as SSA without catching strings such as "Alyssa" + and ( + regex.contains(sender.display_name, '^SSA\b') + or strings.icontains(sender.display_name, "Social Security Administration") + ) + // Contains a link + and length(body.links) >= 1 + + // Not from a .gov domain + and not sender.email.domain.tld == ".gov" + + // Secure messsage wording + and ( + strings.icontains(body.current_thread.text, "Secure Message") + or strings.contains(body.current_thread.text, "SSA Statement Viewer") + // real SSA phone number + or strings.icontains(body.current_thread.text, "1-800-772-1213") + ) + +attack_types: + - "BEC/Fraud" + - "Credential Phishing" +tactics_and_techniques: + - "Impersonation: Brand" + - "Social engineering" +detection_methods: + - "Content analysis" + - "Sender analysis" + - "URL analysis" From 730f8070c1a9a02598ab7765935037edfc700fbd Mon Sep 17 00:00:00 2001 From: ID Generator Date: Wed, 13 Aug 2025 20:25:37 +0000 Subject: [PATCH 2/2] Auto add rule ID --- detection-rules/impersonation_social_security_admin.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/detection-rules/impersonation_social_security_admin.yml b/detection-rules/impersonation_social_security_admin.yml index 1a4f181fae0..565a6539ee8 100644 --- a/detection-rules/impersonation_social_security_admin.yml +++ b/detection-rules/impersonation_social_security_admin.yml @@ -40,3 +40,4 @@ detection_methods: - "Content analysis" - "Sender analysis" - "URL analysis" +id: "6196767e-6264-5833-96f3-d1e34424d7b5"