This detection rule is designed to identify emails where the sender's subject contains the display name of a VIP or executive from a predefined list (org_vips
), and the sender has never been seen before. This rule is particularly useful for detecting Business Email Compromise (BEC) or fraud attempts targeting high-profile individuals within an organization.
- org_vips List: A list of display names of VIPs or executives that must be manually connected to a VIP group of your upstream provider (Google Workspace).
- Email Provider: Google Workspace.
-
Basic Event Filtering:
event.category: "email" and event.provider: "google_workspace" and
- Filters events to only include emails from Google Workspace.
-
Check Subject for VIP Display Name:
any([org_vips.display_name], {{contains(email.subject, .)}}) and
- Ensures the email subject contains any display name from the
org_vips
list.
- Ensures the email subject contains any display name from the
-
Sender and Receiver Logic:
( length(email.recipients.to) > 0 or length(email.recipients.cc) > 0 or email.sender.display_name != email.receiver.display_name ) and
- Ensures there are recipients or the sender's display name differs from the receiver's display name.
-
Exclude Common Automated Email Addresses:
not (email.sender.local_part: "*postmaster*" or email.sender.local_part: "*mailer-daemon*" or email.sender.local_part: "*administrator*") and
- Excludes common automated email addresses.
-
Exclude Specific Attachment Types:
not any(email.attachments.content_type: "message/rfc822" or email.attachments.content_type: "message/delivery-status" or email.attachments.content_type: "text/calendar") and
- Excludes emails with certain attachment types.
-
DMARC Authentication Check:
( ( email.sender.domain.root_domain in org_domains and not email.headers.dmarc_result == "pass" ) or email.sender.domain.root_domain not in org_domains ) and ( ( email.sender.domain.root_domain in high_trust_sender_root_domains and not email.headers.dmarc_result == "pass" ) or email.sender.domain.root_domain not in high_trust_sender_root_domains ) and
- Checks the DMARC result for the sender's domain and considers organizational and high-trust domains.
-
Threat Level and Category:
( email.threat_level == "high" or email.threat_category == "spam" )
- Uses
email.threat_level
andemail.threat_category
fields to check for high-threat or spam-related emails.
- Uses