Detection rules › Sublime MQL
Brand impersonation: Social Security Administration
Detects messages impersonating the Social Security Administration (SSA) through various indicators including display names, subjects, body content, attachments, and HTML titles. The rule identifies SSA references, confusable characters, statement notifications, and credential theft language while excluding legitimate government communications.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | BEC/Fraud, Credential Phishing |
| Tactics and techniques | Impersonation: Brand, Social engineering |
Event coverage
Rule body MQL
type.inbound
// Identifies as SSA without catching strings such as "Alyssa"
and (
regex.contains(sender.display_name, '^SSA\b')
or strings.icontains(sender.display_name, "Social Security Administration")
// there are confusables in the display name
or (
strings.replace_confusables(sender.display_name) != sender.display_name
and strings.contains(strings.replace_confusables(sender.display_name),
"SSA"
)
)
or any([sender.display_name, subject.subject],
regex.icontains(strings.replace_confusables(.),
'Social (?:benefits|security|s.a\b)',
)
)
or (
any(attachments,
.file_type in ("doc", "docx")
and any(file.explode(.),
strings.icontains(.scan.strings.raw,
"Social Security Administration"
)
)
)
)
// display name or subject references a statement
or (
any([sender.display_name, subject.subject],
regex.icontains(strings.replace_confusables(.),
'(Digital|(e[[:punct:]]?))\s?Statements?.{0,10}(Generated|Created|Issued|Ready)'
)
)
// with SSA impersonation in the body
and strings.icontains(body.current_thread.text,
'Social Security Administration'
)
)
or any(html.xpath(body.html, '//title').nodes,
(
strings.icontains(.inner_text, 'Social Security')
and (
strings.icontains(.inner_text, 'Statement')
or strings.icontains(.inner_text, 'Notification')
or strings.icontains(.inner_text, 'Document')
or strings.icontains(.inner_text, 'Message')
or strings.icontains(.inner_text, 'Important Update')
or strings.icontains(.inner_text, 'Benefit Amount')
or strings.icontains(.inner_text, 'Account')
or strings.icontains(.inner_text, 'Authorization')
)
)
or .inner_text =~ "Social Security Administration"
or .inner_text =~ "Social Security"
)
or (
any(body.links, strings.contains(.href_url.url, 'ssa.gov'))
and strings.icontains(body.current_thread.text,
'download monthly statement'
)
and strings.icontains(body.current_thread.text, 'stay connected')
)
or (
any(ml.nlu_classifier(body.current_thread.text).entities,
.name == "sender" and .text == "Social Security Administration"
)
and any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence != "low"
)
)
)
// Not from a .gov domain
and not (sender.email.domain.tld == "gov" and headers.auth_summary.dmarc.pass)
// Additional suspicious indicator
and (
any(ml.nlu_classifier(body.current_thread.text).topics,
.name in ("Security and Authentication", "Secure Message")
and .confidence == "high"
)
or any(ml.nlu_classifier(body.current_thread.text).entities,
.name == "org" and .text == "SSA"
)
or length(body.current_thread.text) == 0
or body.current_thread.text is null
or strings.icontains(body.current_thread.text, "SSA Statement Viewer")
or strings.icontains(strings.replace_confusables(body.current_thread.text),
"Social Security Statement"
)
or regex.icontains(body.current_thread.text,
"(?:view|open) (?:your|the).{0,8} (statement|document)"
)
or regex.icontains(body.current_thread.text,
"(?:view|open|assess|evaluate|review|conduct|read|scan)"
)
// real SSA phone number
or strings.icontains(body.current_thread.text, "1-800-772-1213")
or any(body.links,
any(regex.extract(.href_url.path, '\.(?P<ext>[^./?#]+)(?:[?#]|$)'),
.named_groups["ext"] in $file_extensions_executables
)
)
or any(ml.logo_detect(file.message_screenshot()).brands,
.name == "SSA" and .confidence == "high"
)
or (
any(attachments,
.file_type in ("doc", "docx")
and any(file.explode(.),
strings.icontains(.scan.strings.raw, "suspended")
or strings.icontains(.scan.strings.raw, "fraudulent")
or strings.icontains(.scan.strings.raw, "violated")
or strings.icontains(.scan.strings.raw, "false identity")
or regex.icontains(.scan.strings.raw,
'\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}',
'\+?([ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4}'
)
)
)
)
)
and not (
any(ml.nlu_classifier(body.current_thread.text).topics,
.name in (
"Newsletters and Digests",
"Advertising and Promotions",
"Events and Webinars",
"Charity and Non-Profit",
"Political Mail"
)
and .confidence == "high"
)
or any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "benign" and .confidence == "high"
)
)
and not (
sender.email.email in ("email@email.monarch.com", "contact@govplus.com")
and coalesce(headers.auth_summary.dmarc.pass, false)
)
// not a forward or reply
and (headers.in_reply_to is null or length(headers.references) == 0)
and not (
sender.email.domain.root_domain in $high_trust_sender_root_domains
and coalesce(headers.auth_summary.dmarc.pass, false)
)
Detection logic
Scope: inbound message.
Detects messages impersonating the Social Security Administration (SSA) through various indicators including display names, subjects, body content, attachments, and HTML titles. The rule identifies SSA references, confusable characters, statement notifications, and credential theft language while excluding legitimate government communications.
- inbound message
any of:
- sender.display_name matches '^SSA\\b'
- sender.display_name contains 'Social Security Administration'
all of:
- strings.replace_confusables(sender.display_name) is not sender.display_name
- strings.replace_confusables(sender.display_name) contains 'SSA'
any of
[sender.display_name, subject.subject]where:- strings.replace_confusables(.) matches 'Social (?:benefits|security|s.a\\b)'
any of
attachmentswhere all hold:- .file_type in ('doc', 'docx')
any of
file.explode(.)where:- .scan.strings.raw contains 'Social Security Administration'
all of:
any of
[sender.display_name, subject.subject]where:- strings.replace_confusables(.) matches '(Digital|(e[[:punct:]]?))\\s?Statements?.{0,10}(Generated|Created|Issued|Ready)'
- body.current_thread.text contains 'Social Security Administration'
any of
html.xpath(body.html, '//title').nodeswhere any holds:all of:
- .inner_text contains 'Social Security'
.inner_text contains any of 8 patterns
StatementNotificationDocumentMessageImportant UpdateBenefit AmountAccountAuthorization
- .inner_text is 'Social Security Administration'
- .inner_text is 'Social Security'
all of:
any of
body.linkswhere:- .href_url.url contains 'ssa.gov'
- body.current_thread.text contains 'download monthly statement'
- body.current_thread.text contains 'stay connected'
all of:
any of
ml.nlu_classifier(body.current_thread.text).entitieswhere all hold:- .name is 'sender'
- .text is 'Social Security Administration'
any of
ml.nlu_classifier(body.current_thread.text).intentswhere all hold:- .name is 'cred_theft'
- .confidence is not 'low'
not:
all of:
- sender.email.domain.tld is 'gov'
- headers.auth_summary.dmarc.pass
any of:
any of
ml.nlu_classifier(body.current_thread.text).topicswhere all hold:- .name in ('Security and Authentication', 'Secure Message')
- .confidence is 'high'
any of
ml.nlu_classifier(body.current_thread.text).entitieswhere all hold:- .name is 'org'
- .text is 'SSA'
- length(body.current_thread.text) is 0
- body.current_thread.text is missing
- body.current_thread.text contains 'SSA Statement Viewer'
- strings.replace_confusables(body.current_thread.text) contains 'Social Security Statement'
- body.current_thread.text matches '(?:view|open) (?:your|the).{0,8} (statement|document)'
- body.current_thread.text matches '(?:view|open|assess|evaluate|review|conduct|read|scan)'
- body.current_thread.text contains '1-800-772-1213'
any of
body.linkswhere:any of
regex.extract(.href_url.path)where:- .named_groups['ext'] in $file_extensions_executables
any of
ml.logo_detect(file.message_screenshot()).brandswhere all hold:- .name is 'SSA'
- .confidence is 'high'
any of
attachmentswhere all hold:- .file_type in ('doc', 'docx')
any of
file.explode(.)where any holds:- .scan.strings.raw contains 'suspended'
- .scan.strings.raw contains 'fraudulent'
- .scan.strings.raw contains 'violated'
- .scan.strings.raw contains 'false identity'
.scan.strings.raw matches any of 2 patterns
\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}\+?([ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4}
none of:
any of
ml.nlu_classifier(body.current_thread.text).topicswhere all hold:- .name in ('Newsletters and Digests', 'Advertising and Promotions', 'Events and Webinars', 'Charity and Non-Profit', 'Political Mail')
- .confidence is 'high'
any of
ml.nlu_classifier(body.current_thread.text).intentswhere all hold:- .name is 'benign'
- .confidence is 'high'
not:
all of:
- sender.email.email in ('email@email.monarch.com', 'contact@govplus.com')
- coalesce(headers.auth_summary.dmarc.pass)
any of:
- headers.in_reply_to is missing
- length(headers.references) is 0
not:
all of:
- sender.email.domain.root_domain in $high_trust_sender_root_domains
- coalesce(headers.auth_summary.dmarc.pass)
Inspects: attachments[].file_type, body.current_thread.text, body.html, body.links, body.links[].href_url.path, body.links[].href_url.url, headers.auth_summary.dmarc.pass, headers.in_reply_to, headers.references, sender.display_name, sender.email.domain.root_domain, sender.email.domain.tld, sender.email.email, subject.subject, type.inbound. Sensors: file.explode, file.message_screenshot, html.xpath, ml.logo_detect, ml.nlu_classifier, regex.contains, regex.extract, regex.icontains, strings.contains, strings.icontains, strings.replace_confusables. Reference lists: $file_extensions_executables, $high_trust_sender_root_domains.
Indicators matched (53)
| Field | Match | Value |
|---|---|---|
regex.contains | regex | ^SSA\b |
strings.icontains | substring | Social Security Administration |
strings.contains | substring | SSA |
regex.icontains | regex | Social (?:benefits|security|s.a\b) |
attachments[].file_type | member | doc |
attachments[].file_type | member | docx |
regex.icontains | regex | (Digital|(e[[:punct:]]?))\s?Statements?.{0,10}(Generated|Created|Issued|Ready) |
strings.icontains | substring | Social Security |
strings.icontains | substring | Statement |
strings.icontains | substring | Notification |
strings.icontains | substring | Document |
strings.icontains | substring | Message |
41 more
strings.icontains | substring | Important Update |
strings.icontains | substring | Benefit Amount |
strings.icontains | substring | Account |
strings.icontains | substring | Authorization |
html.xpath(body.html, '//title').nodes[].inner_text | equals | Social Security Administration |
html.xpath(body.html, '//title').nodes[].inner_text | equals | Social Security |
strings.contains | substring | ssa.gov |
strings.icontains | substring | download monthly statement |
strings.icontains | substring | stay connected |
ml.nlu_classifier(body.current_thread.text).entities[].name | equals | sender |
ml.nlu_classifier(body.current_thread.text).entities[].text | equals | Social Security Administration |
ml.nlu_classifier(body.current_thread.text).intents[].name | equals | cred_theft |
sender.email.domain.tld | equals | gov |
ml.nlu_classifier(body.current_thread.text).topics[].name | member | Security and Authentication |
ml.nlu_classifier(body.current_thread.text).topics[].name | member | Secure Message |
ml.nlu_classifier(body.current_thread.text).topics[].confidence | equals | high |
ml.nlu_classifier(body.current_thread.text).entities[].name | equals | org |
ml.nlu_classifier(body.current_thread.text).entities[].text | equals | SSA |
strings.icontains | substring | SSA Statement Viewer |
strings.icontains | substring | Social Security Statement |
regex.icontains | regex | (?:view|open) (?:your|the).{0,8} (statement|document) |
regex.icontains | regex | (?:view|open|assess|evaluate|review|conduct|read|scan) |
strings.icontains | substring | 1-800-772-1213 |
regex.extract | regex | \.(?P<ext>[^./?#]+)(?:[?#]|$) |
ml.logo_detect(file.message_screenshot()).brands[].name | equals | SSA |
ml.logo_detect(file.message_screenshot()).brands[].confidence | equals | high |
strings.icontains | substring | suspended |
strings.icontains | substring | fraudulent |
strings.icontains | substring | violated |
strings.icontains | substring | false identity |
regex.icontains | regex | \+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4} |
regex.icontains | regex | \+?([ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4} |
ml.nlu_classifier(body.current_thread.text).topics[].name | member | Newsletters and Digests |
ml.nlu_classifier(body.current_thread.text).topics[].name | member | Advertising and Promotions |
ml.nlu_classifier(body.current_thread.text).topics[].name | member | Events and Webinars |
ml.nlu_classifier(body.current_thread.text).topics[].name | member | Charity and Non-Profit |
ml.nlu_classifier(body.current_thread.text).topics[].name | member | Political Mail |
ml.nlu_classifier(body.current_thread.text).intents[].name | equals | benign |
ml.nlu_classifier(body.current_thread.text).intents[].confidence | equals | high |
sender.email.email | member | email@email.monarch.com |
sender.email.email | member | contact@govplus.com |