Brand impersonation: AARP

calendar Dec 1, 2025  ·
Share on: linkedin copy

Detects messages impersonating AARP by analyzing sender display name and body content for AARP references, address information, or survey-related language from unauthorized senders.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: AARP"
 2description: "Detects messages impersonating AARP by analyzing sender display name and body content for AARP references, address information, or survey-related language from unauthorized senders."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    (
 9      strings.icontains(sender.display_name, "AARP")
10      and any(ml.nlu_classifier(body.current_thread.text).entities,
11              .name in ("request", "financial")
12              and regex.icontains(.text, "(?:gift|win|free)")
13      )
14    )
15    or 2 of (
16      strings.icontains(body.current_thread.text, 'AARP'),
17      strings.icontains(body.current_thread.text, '601 E Street NW'),
18      strings.icontains(body.current_thread.text, 'Washington, DC 20049')
19    )
20    or (
21      strings.icontains(body.current_thread.text, 'AARP')
22      and (
23        regex.icontains(body.current_thread.text, 'quick .{0,10}survey')
24        or strings.icontains(body.current_thread.text, "last attempt")
25      )
26    )
27  )
28  // negate job postings related to AARP and newsletters containing AARP
29  and not any(ml.nlu_classifier(body.current_thread.text).topics,
30              .name in (
31                "Professional and Career Development",
32                "Newsletters and Digests"
33              )
34              and .confidence == "high"
35  )
36  // and the sender is not in org_domains or from AARP domains and passes auth
37  and not (
38    sender.email.domain.root_domain in $org_domains
39    or (
40      sender.email.domain.root_domain in (
41        "aarp.org",
42        "proofpointessentials.com",
43        "expedia.com",
44        "eventbrite.com",
45        "zixcorp.com"
46      )
47      and headers.auth_summary.dmarc.pass
48    )
49  )  
50
51attack_types:
52  - "BEC/Fraud"
53  - "Credential Phishing"
54tactics_and_techniques:
55  - "Impersonation: Brand"
56  - "Social engineering"
57detection_methods:
58  - "Content analysis"
59  - "Header analysis"
60  - "Sender analysis"
61id: "561a7f87-0af7-5f34-8d5d-86bdc0fe213d"
to-top