1+ name : " Impersonation: Social Security Administration (SSA)"
2+ description : " Detects messages impersonating the Social Security Administration (SSA) that contain links, a suspicious indicator, and are sent from non-government domains by unsolicited or suspicious senders."
3+ type : " rule"
4+ severity : " medium"
5+ source : |
6+ type.inbound
7+ and length(attachments) < 2
8+ // Identifies as SSA without catching strings such as "Alyssa"
9+ and (
10+ regex.contains(sender.display_name, '^SSA\b')
11+ or strings.icontains(sender.display_name, "Social Security Administration")
12+ // there are confusables in the display name
13+ or (
14+ strings.replace_confusables(sender.display_name) != sender.display_name
15+ and strings.contains(strings.replace_confusables(sender.display_name),
16+ "SSA"
17+ )
18+ )
19+ or any([sender.display_name, subject.subject],
20+ regex.icontains(strings.replace_confusables(.),
21+ 'Social (?:benefits|security)',
22+ )
23+ )
24+ or (
25+ any(attachments,
26+ .file_type in ("doc", "docx")
27+ and any(file.explode(.),
28+ strings.icontains(.scan.strings.raw,
29+ "Social Security Administration"
30+ )
31+ )
32+ )
33+ )
34+ )
35+
36+ // Not from a .gov domain
37+ and not (sender.email.domain.tld == "gov" and headers.auth_summary.dmarc.pass)
38+
39+ // Additional suspicious indicator
40+ and (
41+ any(ml.nlu_classifier(body.current_thread.text).topics,
42+ .name == "Secure Message" and .confidence == "high"
43+ )
44+ or strings.icontains(body.current_thread.text, "SSA Statement Viewer")
45+ or strings.icontains(body.current_thread.text, "Social Security Statement")
46+ or regex.icontains(body.current_thread.text,
47+ "(?:view|open) (?:your|the).{0,8} (statement|document)"
48+ )
49+ // real SSA phone number
50+ or strings.icontains(body.current_thread.text, "1-800-772-1213")
51+ or any(body.links,
52+ any(regex.extract(.href_url.path, '\.(?P<ext>[^./?#]+)(?:[?#]|$)'),
53+ .named_groups["ext"] in $file_extensions_executables
54+ )
55+ )
56+ or any(ml.logo_detect(file.message_screenshot()).brands,
57+ .name == "SSA" and .confidence == "high"
58+ )
59+ or (
60+ any(attachments,
61+ .file_type in ("doc", "docx")
62+ and any(file.explode(.),
63+ strings.icontains(.scan.strings.raw, "suspended")
64+ or strings.icontains(.scan.strings.raw, "fraudulent")
65+ or strings.icontains(.scan.strings.raw, "violated")
66+ or strings.icontains(.scan.strings.raw, "false identity")
67+ or regex.icontains(.scan.strings.raw,
68+ '\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}',
69+ '\+?([ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4}'
70+ )
71+ )
72+ )
73+ )
74+ )
75+ and not any(ml.nlu_classifier(body.current_thread.text).topics,
76+ .name in (
77+ "Newsletters and Digests",
78+ "Advertising and Promotions",
79+ "Events and Webinars"
80+ )
81+ and .confidence == "high"
82+ )
83+ // not a forward or reply
84+ and (headers.in_reply_to is null or length(headers.references) == 0)
85+ and (
86+ not profile.by_sender().solicited
87+ or (
88+ profile.by_sender().any_messages_malicious_or_spam
89+ and not profile.by_sender().any_messages_benign
90+ )
91+ )
92+ and not (
93+ sender.email.domain.root_domain in $high_trust_sender_root_domains
94+ and coalesce(headers.auth_summary.dmarc.pass, false)
95+ )
96+
97+ attack_types :
98+ - " BEC/Fraud"
99+ - " Credential Phishing"
100+ tactics_and_techniques :
101+ - " Impersonation: Brand"
102+ - " Social engineering"
103+ detection_methods :
104+ - " Content analysis"
105+ - " Sender analysis"
106+ - " URL analysis"
107+ id : " c7ed8724-dfcc-59e5-896f-e96da25098d9"
108+ og_id : " 6196767e-6264-5833-96f3-d1e34424d7b5"
109+ testing_pr : 3465
110+ testing_sha : a91ecb56ee95255ec6c092484825172bf1deeac6
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?v=4&size=40){kind=avatar}
0 commit comments