From a91ecb56ee95255ec6c092484825172bf1deeac6 Mon Sep 17 00:00:00 2001
From: Mark Morris <mark.m@sublimesecurity.com>
Date: Mon, 3 Nov 2025 16:04:02 -0500
Subject: [PATCH] Update impersonation_social_security_admin.yml

---
 .../impersonation_social_security_admin.yml   | 37 ++++++++++++++++---
 1 file changed, 32 insertions(+), 5 deletions(-)

diff --git a/detection-rules/impersonation_social_security_admin.yml b/detection-rules/impersonation_social_security_admin.yml
index 64488f5621c..511b9064f6f 100644
--- a/detection-rules/impersonation_social_security_admin.yml
+++ b/detection-rules/impersonation_social_security_admin.yml
@@ -4,7 +4,7 @@ type: "rule"
 severity: "medium"
 source: |
   type.inbound
-  
+  and length(attachments) < 2
   // Identifies as SSA without catching strings such as "Alyssa"
   and (
     regex.contains(sender.display_name, '^SSA\b')
@@ -12,14 +12,26 @@ source: |
     // there are confusables in the display name
     or (
       strings.replace_confusables(sender.display_name) != sender.display_name
-      and strings.contains(strings.replace_confusables(sender.display_name), "SSA")
+      and strings.contains(strings.replace_confusables(sender.display_name),
+                           "SSA"
+      )
     )
     or any([sender.display_name, subject.subject],
-           regex.icontains(strings.replace_confusables(.), 'Social (?:benefits|security)', )
+           regex.icontains(strings.replace_confusables(.),
+                           'Social (?:benefits|security)',
+           )
+    )
+    or (
+      any(attachments,
+          .file_type in ("doc", "docx")
+          and any(file.explode(.),
+                  strings.icontains(.scan.strings.raw,
+                                    "Social Security Administration"
+                  )
+          )
+      )
     )
   )
-  // Contains a link
-  and length(body.links) >= 1
   
   // Not from a .gov domain
   and not (sender.email.domain.tld == "gov" and headers.auth_summary.dmarc.pass)
@@ -44,6 +56,21 @@ source: |
     or any(ml.logo_detect(file.message_screenshot()).brands,
            .name == "SSA" and .confidence == "high"
     )
+    or (
+      any(attachments,
+          .file_type in ("doc", "docx")
+          and any(file.explode(.),
+                  strings.icontains(.scan.strings.raw, "suspended")
+                  or strings.icontains(.scan.strings.raw, "fraudulent")
+                  or strings.icontains(.scan.strings.raw, "violated")
+                  or strings.icontains(.scan.strings.raw, "false identity")
+                  or regex.icontains(.scan.strings.raw,
+                                     '\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}',
+                                     '\+?([ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4}'
+                  )
+          )
+      )
+    )
   )
   and not any(ml.nlu_classifier(body.current_thread.text).topics,
               .name in (