Skip to content

Refine detection rule for Canada Revenue Agency impersonation#4668

Open
cybher0808 wants to merge 1 commit into
mainfrom
cybher0808.fn.esc-15318.craimpersonation
Open

Refine detection rule for Canada Revenue Agency impersonation#4668
cybher0808 wants to merge 1 commit into
mainfrom
cybher0808.fn.esc-15318.craimpersonation

Conversation

@cybher0808

@cybher0808 cybher0808 commented Jun 15, 2026
edited
Loading

Copy link
Copy Markdown
Member

Description

Updating this rule with additional nlu classifications for sender, org and language descriptions

Associated samples

Associated hunts

@cybher0808
Refine detection rule for Canada Revenue Agency impersonation
7647d1e 
Updated the rule name to include 'CRA' for clarity and enhanced the NLU classification logic to include checks for sender entities and language detection.
@cybher0808 cybher0808 requested a review from a team June 15, 2026 18:11
@cybher0808 cybher0808 requested a review from a team as a code owner June 15, 2026 18:11
@cybher0808 cybher0808 self-assigned this Jun 15, 2026
@cybher0808 cybher0808 added the in-test-rules PR is in our testing suite to collect telemetry label Jun 15, 2026
github-actions Bot added a commit that referenced this pull request Jun 15, 2026
@github-actions
[Shared Samples] [PR #4668] added rule: PR# 4668 - Brand impersonatio…
7694917 
…n: Canada Revenue Agency (CRA)
github-actions Bot added a commit that referenced this pull request Jun 15, 2026
@github-actions
[Test Rules] [PR #4668] added rule: Brand impersonation: Canada Reven…
43ad35c 
…ue Agency (CRA)
@cybher0808

cybher0808 commented Jun 16, 2026

Copy link
Copy Markdown
Member Author

Result look good, this is a quick add on from the last rule. Marking R4R.

@cybher0808 cybher0808 added the review-needed Indicates that a PR is waiting for review label Jun 16, 2026
zoomequipd
zoomequipd requested changes Jun 22, 2026
View reviewed changes
Comment thread detection-rules/fake_canada_taxrevenue_T4.yml
Comment on lines +24 to +27
or any(ml.nlu_classifier(body.current_thread.text).entities,
.name in ("sender", "org")
and .text in ('Canada Revenue Agency', 'Canada Revenue Agency (CRA)')
)

@zoomequipd zoomequipd Jun 22, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This stanza appears to be designed to detect the "suspicious" part of an impersonation, the NLU sender/org logic seems to be a better match for the stanza above this one (// sender claims to be CRA)

Comment thread detection-rules/fake_canada_taxrevenue_T4.yml
.name in ("sender", "org")
and .text in ('Canada Revenue Agency', 'Canada Revenue Agency (CRA)')
)
or ml.nlu_classifier(body.current_thread.text).language == "french"

@zoomequipd zoomequipd Jun 22, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This appears to be a pretty broad "suspicious" element and given that french of spoken in some parts of Canada I suspect isn't a very strong indicator.

@zoomequipd

zoomequipd commented Jun 22, 2026

Copy link
Copy Markdown
Member

you might have better luck "flipping' the logic of this rule around and instead of trying to find/define "suspicious", define what different from the benign/legit samples.

for example, I noticed that VERY few of the legit emails that are from Canada Revenue Agency have links in the body.current_thread and when it does, they are to known/legit domains (canada.ca)

this hunt tests that (looks for messages from the high_trust/legit sender domain WITH links and returns 2 matches
https://platform.sublime.security/messages/hunt?huntId=019ef011-c22a-786f-a47a-270a05034b00

any message that appears to be from CRA and has links that don't go to canada.ca might be worth while.
hunt testing that theory: https://platform.sublime.security/messages/hunt?huntId=019ef017-9d59-74b5-8de1-7399fff71538

The other sample includes a PDF attachment, I found that the normal CRA emails contain only image attachments.
here is a hunt that looks for any attachments that are not images.
https://platform.sublime.security/messages/hunt?huntId=019ef023-7247-7514-aecf-420733bf01fb

here is a search of messages from CRA that can be used as references
https://platform.sublime.security/messages/search?from=cra-arc.gc.ca&limit=100&lookBack=all-time

@zoomequipd

zoomequipd commented Jun 22, 2026

Copy link
Copy Markdown
Member

a net new hunt (over the current version of the rule) that implements some of my ideas
https://platform.sublime.security/messages/hunt?huntId=019ef030-35dd-7ddb-83d6-688de93405aa

@zoomequipd zoomequipd self-assigned this Jun 22, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zoomequipd zoomequipd zoomequipd requested changes

Requested changes must be addressed to merge this pull request.

Assignees

@zoomequipd zoomequipd

@cybher0808 cybher0808

Labels

in-test-rules PR is in our testing suite to collect telemetry review-needed Indicates that a PR is waiting for review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@cybher0808 @zoomequipd