Brand impersonation: AARP

Detects messages impersonating AARP by analyzing sender display name and body content for AARP references, address information, or survey-related language from unauthorized senders.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: AARP"
 2description: "Detects messages impersonating AARP by analyzing sender display name and body content for AARP references, address information, or survey-related language from unauthorized senders."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    (
 9      strings.icontains(sender.display_name, "AARP")
10      and any(ml.nlu_classifier(body.current_thread.text).entities,
11              .name in ("request", "financial")
12              and regex.icontains(.text, "(?:gift|win|free|renewal)")
13      )
14    )
15    or 2 of (
16      strings.icontains(body.current_thread.text, 'AARP'),
17      strings.icontains(body.current_thread.text, '601 E Street NW'),
18      strings.icontains(body.current_thread.text, 'Washington, DC 20049')
19    )
20    or (
21      strings.icontains(body.current_thread.text, 'AARP')
22      and (
23        regex.icontains(body.current_thread.text, 'quick .{0,10}survey')
24        or strings.icontains(body.current_thread.text, "last attempt")
25      )
26    )
27    //
28    // This rule makes use of a beta feature and is subject to change without notice
29    // using the beta feature in custom rules is not suggested until it has been formally released
30    //
31    or (
32      strings.icontains(beta.ocr(file.message_screenshot()).text, "AARP")
33      and strings.icontains(beta.ocr(file.message_screenshot()).text,
34                            "join or renew now"
35      )
36      and strings.icontains(beta.ocr(file.message_screenshot()).text,
37                            "to opt out"
38      )
39    )
40  )
41  // negate job postings related to AARP and newsletters containing AARP
42  and not any(ml.nlu_classifier(body.current_thread.text).topics,
43              .name in (
44                "Professional and Career Development",
45                "Newsletters and Digests"
46              )
47              and .confidence == "high"
48  )
49  // and the sender is not in org_domains or from AARP domains and passes auth
50  and not (
51    sender.email.domain.root_domain in $org_domains
52    or (
53      sender.email.domain.root_domain in (
54        "aarp.org",
55        "proofpointessentials.com",
56        "expedia.com",
57        "eventbrite.com",
58        "zixcorp.com"
59      )
60      and headers.auth_summary.dmarc.pass
61    )
62  )  
63
64attack_types:
65  - "BEC/Fraud"
66  - "Credential Phishing"
67tactics_and_techniques:
68  - "Impersonation: Brand"
69  - "Social engineering"
70detection_methods:
71  - "Content analysis"
72  - "Header analysis"
73  - "Sender analysis"
74id: "561a7f87-0af7-5f34-8d5d-86bdc0fe213d"
to-top