From fd215e4a431a4ce62af4aed9d15a76248e1c9165 Mon Sep 17 00:00:00 2001
From: Sublime Rule Testing Bot <hello@sublimesecurity.com>
Date: Mon, 18 Nov 2024 19:55:52 +0000
Subject: [PATCH] Sync from PR#2130

Create impersonation_benefits_enrollment.yml by @aidenmitchell
https://github.com/sublime-security/sublime-rules/pull/2130
Source SHA 50c11df1bc9000a7e886b5fbc0bf367ce0a1bd6c
Triggered by @aidenmitchell
---
 .../impersonation_benefits_enrollment.yml     | 104 ++++++++++++++++++
 1 file changed, 104 insertions(+)
 create mode 100644 detection-rules/impersonation_benefits_enrollment.yml

diff --git a/detection-rules/impersonation_benefits_enrollment.yml b/detection-rules/impersonation_benefits_enrollment.yml
new file mode 100644
index 00000000000..b3f3fa2069e
--- /dev/null
+++ b/detection-rules/impersonation_benefits_enrollment.yml
@@ -0,0 +1,104 @@
+name: "Benefits Enrollment Impersonation"
+description: "Detects messages about benefit enrollment periods and healthcare selections from external senders that contain urgent language or requests for action. Excludes legitimate HR communications, marketing mailers, and trusted sender domains with valid authentication."
+type: "rule"
+severity: "high"
+source: |
+  type.inbound
+  and sender.email.domain.domain not in $org_domains
+  and length(body.current_thread.text) < 2500
+  and 1 of (
+    regex.icontains(subject.subject,
+                    '(open|benefits?) enrol{1,2}ment', // catches both enrolment and enrollment
+                    'benefit(s)? (plan|choice|selection|deadline|period)',
+                    'hr benefits',
+                    'annual enrol{1,2}ment',
+                    'healthcare (choice|selection|opt.?in)',
+                    '(fsa|hsa|401k) (enrol{1,2}ment|selection)',
+                    'dependent (coverage|verification)',
+                    '(health|dental|vision|insurance|medical) enrol{1,2}ment'
+    ),
+    regex.icontains(body.current_thread.text,
+                    '(open|benefits?) enrol{1,2}ment',
+                    'benefit(s)? (plan|choice|selection|deadline|period)',
+                    'hr benefits',
+                    'annual enrol{1,2}ment',
+                    'healthcare (choice|selection|opt.?in)',
+                    '(fsa|hsa|401k) (enrol{1,2}ment|selection)',
+                    'dependent (coverage|verification)',
+                    '(health|dental|vision|insurance|medical) enrol{1,2}ment',
+                    '(urgent|immediate) action required.*(benefit|enrol{1,2}ment)',
+                    'coverage.*(expire|terminate)',
+                    'last (day|chance).*(enrol{1,2}|select)',
+                    '(login|sign.?in).*(benefit portal|hr portal)',
+                    '(verify|update|confirm).*(benefit.*selection)'
+    )
+  )
+  and 1 of (
+    any(ml.nlu_classifier(body.current_thread.text).entities,
+        .name in ("urgency", "request")
+    ),
+    any(ml.nlu_classifier(body.current_thread.text).intents, .name != "benign"),
+    (length(body.current_thread.text) < 250 and length(attachments) == 1)
+  )
+
+  // negate replies
+  and (
+    length(headers.references) == 0
+    or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
+  )
+
+  // Negate common marketing mailers
+  and not regex.icontains(sender.display_name,
+                          'HR (?:Events|Expert|Support Center|Studies|Knowledge Cloud|News Library|Crowd|Solutions|Interests)|HR and People Operations'
+  )
+  and not (
+    any(headers.hops,
+        strings.icontains(.authentication_results.spf_details.designator,
+                          "constantcontact.com"
+        )
+    )
+    or any(headers.hops,
+           strings.icontains(.received_spf.designator, "constantcontact.com")
+    )
+    or (
+      (
+        any(headers.hops,
+            .index == 0
+            and any(.authentication_results.dkim_details,
+                    .domain == "auth.ccsend.com"
+            )
+        )
+      )
+      and headers.auth_summary.dmarc.pass
+    )
+    or any(headers.references, strings.iends_with(., "ccsend.com"))
+  )
+  and (
+    profile.by_sender().prevalence in ("new", "outlier")
+    or (
+      profile.by_sender().any_messages_malicious_or_spam
+      and not profile.by_sender().any_false_positives
+    )
+  )
+  // negate highly trusted sender domains unless they fail DMARC authentication
+  and (
+    (
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
+      and not headers.auth_summary.dmarc.pass
+    )
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
+  )
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Evasion"
+  - "Impersonation: Employee"
+  - "Out of band pivot"
+  - "Social engineering"
+detection_methods:
+  - "Content analysis"
+  - "Header analysis"
+  - "Sender analysis"
+id: "5a6eb5a8-2d91-5ed8-a0d2-fb3cc2fef40b"
+testing_pr: 2130
+testing_sha: 50c11df1bc9000a7e886b5fbc0bf367ce0a1bd6c