Sync from PR#2130

Create impersonation_benefits_enrollment.yml by @aidenmitchell
#2130
Source SHA df9c68a
Triggered by @aidenmitchell

detection-rules/impersonation_benefits_enrollment.yml

@@ -0,0 +1,150 @@
+name: "Benefits Enrollment Impersonation"
+description: "Detects messages about benefit enrollment periods and healthcare selections from external senders that contain urgent language or requests for action. Excludes legitimate HR communications, marketing mailers, and trusted sender domains with valid authentication."
+type: "rule"
+severity: "high"
+source: |
+  type.inbound
+  and sender.email.domain.domain not in $org_domains
+  and (
+    length(body.current_thread.text) < 2500 or body.current_thread.text is null
+  )
+  and (
+    regex.icontains(subject.subject,
+                    '(open|benefits?) enrol{1,2}ment', // catches both enrolment and enrollment
+                    'benefit(s)? (plan|choice|selection|deadline|period)',
+                    'hr benefits',
+                    'annual enrol{1,2}ment',
+                    'healthcare (choice|selection|opt.?in)',
+                    '(fsa|hsa|401k) (enrol{1,2}ment|selection)',
+                    'dependent (coverage|verification)',
+                    '(health|dental|vision|insurance|medical) enrol{1,2}ment'
+    )
+    or regex.icontains(body.current_thread.text,
+                       'benefit(s)? (plan|choice|selection|deadline|period)',
+                       'hr benefits',
+                       'annual enrol{1,2}ment',
+                       'healthcare (choice|selection|opt.?in)',
+                       '(fsa|hsa|401k) (enrol{1,2}ment|selection)',
+                       'dependent (coverage|verification)',
+                       '(health|dental|vision|insurance|medical) enrol{1,2}ment',
+                       '(urgent|immediate) action required.{0,20}(benefit|enrol{1,2}ment)',
+                       'coverage.{0,20}(expire|terminate)',
+                       'last (day|chance).{0,20}(enrol{1,2}|select)',
+                       '(login|sign.?in).{0,20}(benefit portal|hr portal)',
+                       '(verify|update|confirm).{0,20}(benefit.{0,20}selection)'
+    )
+    or any(attachments,
+           regex.icontains(.file_name,
+                           'fileDoc-Review',
+                           '(open|benefits?) enrol{1,2}ment',
+                           'annual enrol{1,2}ment',
+                           '(fsa|hsa|401k) (enrol{1,2}ment|selection)',
+                           '(urgent|immediate) action required.{0,20}(benefit|enrol{1,2}ment)',
+           )
+    )
+  )
+  and 2 of (
+    any(ml.nlu_classifier(body.current_thread.text).entities,
+        .name in ("urgency", "request")
+    ),
+    any(ml.nlu_classifier(body.current_thread.text).intents, .name != "benign"),
+    (
+      (length(body.current_thread.text) < 250 and length(attachments) == 1)
+      or (body.current_thread.text is null and length(attachments) == 1)
+    ),
+    // lure in attachment
+    (
+      any(attachments,
+          (
+            .file_type in $file_types_images
+            or .file_type in ("pdf", "docx", "doc")
+            or .file_extension in $file_extensions_macros
+          )
+          and any(filter(file.explode(.), .scan.ocr.raw is not null),
+                  (
+                    any(ml.nlu_classifier(.scan.ocr.raw).intents,
+                        .name != "benign"
+                    )
+                    or any(ml.nlu_classifier(.scan.ocr.raw).entities,
+                           .name in ("urgency", "request")
+                    )
+                  )
+          )
+      )
+    )
+  )
+  // negate replies
+  and (
+    length(headers.references) == 0
+    or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
+  )
+
+  // Negate common marketing mailers
+  and not regex.icontains(sender.display_name,
+                          'HR (?:Events|Expert|Support Center|Studies|Knowledge Cloud|News Library|Crowd|Solutions|Interests)|HR and People Operations'
+  )
+  and not (
+    // Constant Contact
+    any(headers.hops,
+        strings.icontains(.authentication_results.spf_details.designator,
+                          "constantcontact.com"
+        )
+    )
+    or any(headers.hops,
+           strings.icontains(.received_spf.designator, "constantcontact.com")
+    )
+    or (
+      (
+        any(headers.hops,
+            .index == 0
+            and any(.authentication_results.dkim_details,
+                    .domain == "auth.ccsend.com"
+            )
+        )
+      )
+      and headers.auth_summary.dmarc.pass
+    )
+    or any(headers.references, strings.iends_with(., "ccsend.com"))
+    // Hubspot
+    or any(headers.hops,
+           strings.icontains(.authentication_results.spf_details.designator,
+                             "hubspotemail.net"
+           )
+    )
+  )
+  and sender.email.domain.root_domain not in~ (
+    'medicare.gov',
+    'farmers.com',
+    'uhc.com',
+    'blueshieldca.com',
+    'corestream.com'
+  )
+  and (
+    profile.by_sender().prevalence in ("new", "outlier")
+    or (
+      profile.by_sender().any_messages_malicious_or_spam
+      and not profile.by_sender().any_false_positives
+    )
+  )
+  // negate highly trusted sender domains unless they fail DMARC authentication
+  and (
+    (
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
+      and not headers.auth_summary.dmarc.pass
+    )
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
+  )
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Evasion"
+  - "Impersonation: Employee"
+  - "Out of band pivot"
+  - "Social engineering"
+detection_methods:
+  - "Content analysis"
+  - "Header analysis"
+  - "Sender analysis"
+id: "5a6eb5a8-2d91-5ed8-a0d2-fb3cc2fef40b"
+testing_pr: 2130
+testing_sha: df9c68a84d84ea051f05d489f42d3d3d7692eb25