How to detect executive or VIP impersonation

Background

Attackers impersonate trusted executives or VIPs - like your CEO or CFO - in order to trick another employee into sharing confidential tax information (e.g., W-2 tax forms), executing an unauthorized wire transfer, or buying gift cards.

Here is a simple VIP impersonation rule leveraging the $org_vips dynamic system list:

type.inbound
and any($org_vips, .display_name == sender.display_name)
and (
            // ignore personal <> work emails
            // where the sender and mailbox's display names are the same
            length(recipients.to) + length(recipients.cc) > 1
            or sender.display_name != mailbox.display_name
)
and sender.email.email not in $recipient_emails