Create impersonation_social_security_administration.yml

detection-rules/impersonation_social_security_admin.yml

@@ -0,0 +1,43 @@
+name: "Impersonation: Social Security Administration with secure message language"
+description: "Detects messages impersonating the Social Security Administration (SSA) that contain links and use legitimate SSA terminology like 'Secure Message' or 'SSA Statement Viewer', but are sent from non-government domains by unsolicited or suspicious senders."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and (
+    not profile.by_sender().solicited
+    or (
+      profile.by_sender().any_messages_malicious_or_spam
+      and not profile.by_sender().any_messages_benign
+    )
+  )
+  // Identifies as SSA without catching strings such as "Alyssa"
+  and (
+    regex.contains(sender.display_name, '^SSA\b')
+    or strings.icontains(sender.display_name, "Social Security Administration")
+  )
+  // Contains a link
+  and length(body.links) >= 1
+
+  // Not from a .gov domain
+  and not sender.email.domain.tld == ".gov"
+
+  // Secure messsage wording
+  and (
+    strings.icontains(body.current_thread.text, "Secure Message")
+    or strings.contains(body.current_thread.text, "SSA Statement Viewer")
+    // real SSA phone number
+    or strings.icontains(body.current_thread.text, "1-800-772-1213")
+  )
+
+attack_types:
+  - "BEC/Fraud"
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Impersonation: Brand"
+  - "Social engineering"
+detection_methods:
+  - "Content analysis"
+  - "Sender analysis"
+  - "URL analysis"
+id: "6196767e-6264-5833-96f3-d1e34424d7b5"