Brand impersonation: Aquent

Detects messages impersonating Aquent, a staffing and talent solutions company, by analyzing sender display names and body content for Aquent branding and office addresses from unauthorized domains.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Aquent"
 2description: "Detects messages impersonating Aquent, a staffing and talent solutions company, by analyzing sender display names and body content for Aquent branding and office addresses from unauthorized domains."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    regex.icontains(sender.display_name, 'Aquent\b')
 9    // look for Aquent address from footer, or current address being used by actors
10    or (
11      strings.icontains(body.current_thread.text, 'Aquent')
12      and (
13        (
14          strings.icontains(body.current_thread.text, '2884 Sand Hill Road')
15          and strings.icontains(body.current_thread.text, 'Menlo Park, CA 94025')
16        )
17        or (
18          strings.icontains(body.current_thread.text, '501 Boylston St')
19          and strings.icontains(body.current_thread.text, 'Boston, MA 02116')
20        )
21      )
22    )
23  )
24  and not (
25    sender.email.domain.root_domain in $org_domains
26    or (
27      sender.email.domain.root_domain in (
28        "aquent.com",
29        "dice.com",
30        "roberthalf.com",
31        "roberthalf.be",
32        "service-now.com",
33        "protiviti.com",
34        "atlassian.net",
35        "workday.com",
36        "myworkday.com",
37        "rapdev.io",
38        "immersivelabs.com",
39        "outsidegc.com"
40      )
41      and headers.auth_summary.dmarc.pass
42    )
43  )
44  // not a forward or reply
45  and (headers.in_reply_to is null or length(headers.references) == 0)
46  and not any(ml.nlu_classifier(body.current_thread.text).topics,
47              .name == "Advertising and Promotions" and .confidence != "low"
48  )
49  // negate instances where proofpoint sends a review of a reported message via analyzer 
50  and not (
51    sender.email.email == "analyzer@analyzer.securityeducation.com"
52    and any(headers.domains, .root_domain == "pphosted.com")
53    and headers.auth_summary.spf.pass
54    and headers.auth_summary.dmarc.pass
55  )  
56
57attack_types:
58  - "BEC/Fraud"
59  - "Credential Phishing"
60tactics_and_techniques:
61  - "Impersonation: Brand"
62  - "Social engineering"
63detection_methods:
64  - "Content analysis"
65  - "Header analysis"
66  - "Sender analysis"
67id: "5074459c-d48e-5ff6-9a08-3da38c2963d9"
to-top