Brand impersonation: Bids & Tenders

calendar Jun 17, 2026  ·
Share on: linkedin copy

Detects links impersonating the Bids & Tenders platform. The rule identifies suspicious links from non-legitimate domains that load Bids & Tenders logo assets, suggesting the sender is spoofing the platform to appear legitimate.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Bids & Tenders"
 2description: "Detects links impersonating the Bids & Tenders platform. The rule identifies suspicious links from non-legitimate domains that load Bids & Tenders logo assets, suggesting the sender is spoofing the platform to appear legitimate."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  // self sender or invaild recipent domain
 8  and length(recipients.to) == 1
 9  and (
10    sender.email.email == recipients.to[0].email.email
11    or recipients.to[0].email.domain.valid == false
12  )
13  and 0 < length(body.current_thread.links) < 10
14  and any(body.current_thread.links,
15          .href_url.domain.root_domain != 'bidsandtenders.ca'
16          and any(ml.link_analysis(.).unique_urls_accessed,
17                  .domain.domain == 'bids.bidsandtenders.ca'
18                  and strings.icontains(.path, '/Logo/')
19          )
20  )  
21attack_types:
22  - "Credential Phishing"
23tactics_and_techniques:
24  - "Impersonation: Brand"
25  - "Spoofing"
26  - "Social engineering"
27detection_methods:
28  - "Sender analysis"
29  - "URL analysis"
30  - "Content analysis"
31id: "a525a341-3bd1-5acc-8275-0a8a3a5c532b"
to-top