Brand impersonation: McAfee

 1name: "Brand impersonation: McAfee"
 2description: "Detects messages impersonating McAfee through display name, subject line, body content, or NLU entity detection when the sender is not from verified McAfee domains or other high-trust domains with valid DMARC authentication."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    regex.icontains(body.current_thread.text,
 9                    'McAfee.{0,30}(?:Defense|Protection)'
10    )
11    or regex.icontains(subject.base, 'McAfee.{0,30}(?:Defense|Protection)')
12    or regex.icontains(sender.display_name, '^[\s[:punct:]]*mc\s*afee(?:$|[^,])')
13    or (
14      any(ml.nlu_classifier(body.current_thread.text).entities,
15          .name in ("org", "sender") and strings.icontains(.text, 'mcafee')
16      )
17      and length(filter(ml.nlu_classifier(body.current_thread.text).entities,
18                        .name == "urgency"
19                 )
20      ) >= 2
21    )
22  )
23  and not any(ml.nlu_classifier(body.current_thread.text).topics,
24              .name in ("Newsletters and Digests", "Advertising and Promotions")
25              and .confidence != "low"
26  )
27  and not (
28    sender.email.domain.root_domain in ('mcafee.com', 'mcafeesecure.com')
29    and headers.auth_summary.dmarc.pass
30  )
31  and not (
32    sender.email.domain.root_domain in $high_trust_sender_root_domains
33    and headers.auth_summary.dmarc.pass
34  )  
35
36attack_types:
37  - "Credential Phishing"
38  - "BEC/Fraud"
39  - "Callback Phishing"
40tactics_and_techniques:
41  - "Impersonation: Brand"
42  - "Social engineering"
43detection_methods:
44  - "Content analysis"
45  - "Header analysis"
46  - "Natural Language Understanding"
47  - "Sender analysis"
48id: "6b593b92-b4f8-5a38-a2ba-216432df589c"