Brand impersonation: Aquent
Detects messages impersonating Aquent, a staffing and talent solutions company, by analyzing sender display names and body content for Aquent branding and office addresses from unauthorized domains.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Aquent"
2description: "Detects messages impersonating Aquent, a staffing and talent solutions company, by analyzing sender display names and body content for Aquent branding and office addresses from unauthorized domains."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and (
8 regex.icontains(sender.display_name, 'Aquent\b')
9 // look for Aquent address from footer, or current address being used by actors
10 or (
11 strings.icontains(body.current_thread.text, 'Aquent')
12 and (
13 (
14 strings.icontains(body.current_thread.text, '2884 Sand Hill Road')
15 and strings.icontains(body.current_thread.text, 'Menlo Park, CA 94025')
16 )
17 or (
18 strings.icontains(body.current_thread.text, '501 Boylston St')
19 and strings.icontains(body.current_thread.text, 'Boston, MA 02116')
20 )
21 )
22 )
23 )
24 and not (
25 sender.email.domain.root_domain in $org_domains
26 or (
27 sender.email.domain.root_domain in (
28 "aquent.com",
29 "dice.com",
30 "roberthalf.com",
31 "roberthalf.be",
32 "service-now.com",
33 "protiviti.com",
34 "atlassian.net",
35 "workday.com",
36 "myworkday.com",
37 "rapdev.io",
38 "immersivelabs.com",
39 "outsidegc.com"
40 )
41 and headers.auth_summary.dmarc.pass
42 )
43 )
44 // not a forward or reply
45 and (headers.in_reply_to is null or length(headers.references) == 0)
46 and not any(ml.nlu_classifier(body.current_thread.text).topics,
47 .name == "Advertising and Promotions" and .confidence != "low"
48 )
49 // negate instances where proofpoint sends a review of a reported message via analyzer
50 and not (
51 sender.email.email == "analyzer@analyzer.securityeducation.com"
52 and any(headers.domains, .root_domain == "pphosted.com")
53 and headers.auth_summary.spf.pass
54 and headers.auth_summary.dmarc.pass
55 )
56
57attack_types:
58 - "BEC/Fraud"
59 - "Credential Phishing"
60tactics_and_techniques:
61 - "Impersonation: Brand"
62 - "Social engineering"
63detection_methods:
64 - "Content analysis"
65 - "Header analysis"
66 - "Sender analysis"
67id: "5074459c-d48e-5ff6-9a08-3da38c2963d9"