name:
CEO impersonation
severity:
high
source:
| ilike(sender.display_name, "*Rachael Tyrell*") and sender.email.domain.root_domain != 'tyrellcorp.io'
actions:
warning_banner:
"Warning: This sender may be impersonating our CEO."
alert:
splunk
tags:
- "Executive Impersonation"
- "Business Email Compromise"
Modern email security is a one-size-fits-all black box. The same phishing attacks continue to land, and the same legitimate emails continue to get blocked.
Sublime
lets you write and run custom detection and response rules to
block phishing attacks, hunt for threats, and more.
Rule
Message
Code
CEO impersonation
high
| ilike(sender.display_name, "*Rachael Tyrell*") and sender.email.domain.root_domain != 'tyrellcorp.io'
warning_banner:
"Warning: This sender may be impersonating our CEO."
alert:
splunk
- "Executive Impersonation"
- "Business Email Compromise"
Block
Write sophisticated rules to block and detect phishing attacks. Operationalize threat intel from any source.
Remediate
Delete reported phish and find similar messages with a single click. Add context-aware warning banners to suspicious messages.
Hunt
Identify and remediate campaigns using behavioral patterns and historical message search. Detect malicious forwarding rules.
Collaborate
Subscribe to rules written by others in the community. Report new attacker techniques.