[PR #3470] added rule: VIP Impersonation via Google Group relay with suspicious indicators

Author: github-actions[bot]

detection-rules/3470_impersonation_google_groups_suspicious.yml

@@ -0,0 +1,83 @@
+name: "VIP Impersonation via Google Group relay with suspicious indicators"
+description: "Public Google Groups can be used to impersonate internal senders, while the reply to address is not under organizational control, leading to fraud, credential phishing, or other unwanted outcomes."
+type: "rule"
+severity: "high"
+source: |
+  (type.inbound or type.internal)
+  and sender.email.domain.root_domain in $org_domains
+  
+  // subject, sender or reply to contains a VIP
+  and (
+    any(headers.reply_to,
+        any($org_vips, strings.contains(.display_name, ..display_name))
+    )
+    or any($org_vips, strings.contains(subject.subject, .display_name))
+    or any($org_vips, strings.contains(sender.display_name, .display_name))
+  )
+  and any(headers.hops,
+          any(.fields,
+              regex.icontains(.name,
+                              "X-Authenticated-Sender|X-Sender|X-Original-Sender"
+              )
+          )
+  )
+  
+  // reply to return path mismatch and not org domain
+  and any(headers.reply_to,
+          .email.domain.root_domain != headers.return_path.domain.root_domain
+          and .email.domain.root_domain not in $org_domains
+  )
+  
+  // googlegroups found in hops
+  and any(headers.hops,
+          .index == 0 and any(.fields, strings.icontains(.value, "googlegroups"))
+  )
+  
+  // financial nlu entity in current thread
+  and 3 of (
+    any(ml.nlu_classifier(body.current_thread.text).entities,
+        .name == "financial"
+    ),
+  
+    // invoice entity in display_text
+    any(ml.nlu_classifier(body.current_thread.text).tags, .name == "invoice"),
+  
+    // fake thread
+    (
+      (subject.is_forward or subject.is_reply)
+      and (
+        (length(headers.references) == 0 and headers.in_reply_to is null)
+        or not any(headers.hops,
+                   any(.fields, strings.ilike(.name, "In-Reply-To"))
+        )
+      )
+    ),
+  
+    // reply-to is freemail 
+    any(headers.reply_to, .email.domain.domain in $free_email_providers),
+  
+    // reply-to is not in $recipient_emails
+    any(headers.reply_to, .email.email not in $recipient_emails),
+  
+    // dmarc authentication is freemail provider
+    headers.auth_summary.dmarc.details.from.root_domain in $free_email_providers
+  )
+attack_types:
+  - "BEC/Fraud"
+  - "Credential Phishing"
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "Evasion"
+  - "Free email provider"
+  - "Impersonation: Employee"
+  - "Social engineering"
+  - "Spoofing"
+detection_methods:
+  - "Content analysis"
+  - "Header analysis"
+  - "Natural Language Understanding"
+  - "Sender analysis"
+id: "dab9243e-9f18-57cc-95cf-d68c7c0aa82e"
+og_id: "57f9cd3b-ddac-5ef5-96dd-374dbd03f5cd"
+testing_pr: 3470
+testing_sha: 29a34151c5996071b29990b56857e3a1cdb712c1