Brand impersonation: AARP
Detects messages impersonating AARP by analyzing sender display name and body content for AARP references, address information, or survey-related language from unauthorized senders.
Sublime rule (View on GitHub)
1name: "Brand impersonation: AARP"
2description: "Detects messages impersonating AARP by analyzing sender display name and body content for AARP references, address information, or survey-related language from unauthorized senders."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and (
8 (
9 strings.icontains(sender.display_name, "AARP")
10 and any(ml.nlu_classifier(body.current_thread.text).entities,
11 .name in ("request", "financial")
12 and regex.icontains(.text, "(?:gift|win|free|renewal)")
13 )
14 )
15 or 2 of (
16 strings.icontains(body.current_thread.text, 'AARP'),
17 strings.icontains(body.current_thread.text, '601 E Street NW'),
18 strings.icontains(body.current_thread.text, 'Washington, DC 20049')
19 )
20 or (
21 strings.icontains(body.current_thread.text, 'AARP')
22 and (
23 regex.icontains(body.current_thread.text, 'quick .{0,10}survey')
24 or strings.icontains(body.current_thread.text, "last attempt")
25 )
26 )
27 //
28 // This rule makes use of a beta feature and is subject to change without notice
29 // using the beta feature in custom rules is not suggested until it has been formally released
30 //
31 or (
32 strings.icontains(beta.ocr(file.message_screenshot()).text, "AARP")
33 and strings.icontains(beta.ocr(file.message_screenshot()).text,
34 "join or renew now"
35 )
36 and strings.icontains(beta.ocr(file.message_screenshot()).text,
37 "to opt out"
38 )
39 )
40 )
41 // negate job postings related to AARP and newsletters containing AARP
42 and not any(ml.nlu_classifier(body.current_thread.text).topics,
43 .name in (
44 "Professional and Career Development",
45 "Newsletters and Digests"
46 )
47 and .confidence == "high"
48 )
49 // and the sender is not in org_domains or from AARP domains and passes auth
50 and not (
51 sender.email.domain.root_domain in $org_domains
52 or (
53 sender.email.domain.root_domain in (
54 "aarp.org",
55 "proofpointessentials.com",
56 "expedia.com",
57 "eventbrite.com",
58 "zixcorp.com"
59 )
60 and headers.auth_summary.dmarc.pass
61 )
62 )
63
64attack_types:
65 - "BEC/Fraud"
66 - "Credential Phishing"
67tactics_and_techniques:
68 - "Impersonation: Brand"
69 - "Social engineering"
70detection_methods:
71 - "Content analysis"
72 - "Header analysis"
73 - "Sender analysis"
74id: "561a7f87-0af7-5f34-8d5d-86bdc0fe213d"