From 06e7aa098cd4a8042870557ca09d935e525ed839 Mon Sep 17 00:00:00 2001
From: Sublime Rule Testing Bot <hello@sublimesecurity.com>
Date: Tue, 10 Dec 2024 18:02:02 +0000
Subject: [PATCH] Sync from PR#2130

Create impersonation_benefits_enrollment.yml by @aidenmitchell
https://github.com/sublime-security/sublime-rules/pull/2130
Source SHA df9c68a84d84ea051f05d489f42d3d3d7692eb25
Triggered by @aidenmitchell
---
 .../impersonation_benefits_enrollment.yml     | 41 +++++++++++++++++--
 1 file changed, 37 insertions(+), 4 deletions(-)

diff --git a/detection-rules/impersonation_benefits_enrollment.yml b/detection-rules/impersonation_benefits_enrollment.yml
index 3807579ea71..7a05fb8f383 100644
--- a/detection-rules/impersonation_benefits_enrollment.yml
+++ b/detection-rules/impersonation_benefits_enrollment.yml
@@ -5,7 +5,9 @@ severity: "high"
 source: |
   type.inbound
   and sender.email.domain.domain not in $org_domains
-  and length(body.current_thread.text) < 2500
+  and (
+    length(body.current_thread.text) < 2500 or body.current_thread.text is null
+  )
   and (
     regex.icontains(subject.subject,
                     '(open|benefits?) enrol{1,2}ment', // catches both enrolment and enrollment
@@ -31,15 +33,46 @@ source: |
                        '(login|sign.?in).{0,20}(benefit portal|hr portal)',
                        '(verify|update|confirm).{0,20}(benefit.{0,20}selection)'
     )
+    or any(attachments,
+           regex.icontains(.file_name,
+                           'fileDoc-Review',
+                           '(open|benefits?) enrol{1,2}ment',
+                           'annual enrol{1,2}ment',
+                           '(fsa|hsa|401k) (enrol{1,2}ment|selection)',
+                           '(urgent|immediate) action required.{0,20}(benefit|enrol{1,2}ment)',
+           )
+    )
   )
   and 2 of (
     any(ml.nlu_classifier(body.current_thread.text).entities,
         .name in ("urgency", "request")
     ),
     any(ml.nlu_classifier(body.current_thread.text).intents, .name != "benign"),
-    (length(body.current_thread.text) < 250 and length(attachments) == 1)
+    (
+      (length(body.current_thread.text) < 250 and length(attachments) == 1)
+      or (body.current_thread.text is null and length(attachments) == 1)
+    ),
+    // lure in attachment
+    (
+      any(attachments,
+          (
+            .file_type in $file_types_images
+            or .file_type in ("pdf", "docx", "doc")
+            or .file_extension in $file_extensions_macros
+          )
+          and any(filter(file.explode(.), .scan.ocr.raw is not null),
+                  (
+                    any(ml.nlu_classifier(.scan.ocr.raw).intents,
+                        .name != "benign"
+                    )
+                    or any(ml.nlu_classifier(.scan.ocr.raw).entities,
+                           .name in ("urgency", "request")
+                    )
+                  )
+          )
+      )
+    )
   )
-
   // negate replies
   and (
     length(headers.references) == 0
@@ -114,4 +147,4 @@ detection_methods:
   - "Sender analysis"
 id: "5a6eb5a8-2d91-5ed8-a0d2-fb3cc2fef40b"
 testing_pr: 2130
-testing_sha: 9b89fd8f37a5f6d4f87328efde446fd250a10930
+testing_sha: df9c68a84d84ea051f05d489f42d3d3d7692eb25