Brand impersonation: McAfee

Detects messages impersonating McAfee through display name, subject line, body content, or NLU entity detection when the sender is not from verified McAfee domains or other high-trust domains with valid DMARC authentication.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: McAfee"
 2description: "Detects messages impersonating McAfee through display name, subject line, body content, or NLU entity detection when the sender is not from verified McAfee domains or other high-trust domains with valid DMARC authentication."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    regex.icontains(body.current_thread.text,
 9                    'McAfee.{0,30}(?:Defense|Protection)'
10    )
11    or regex.icontains(subject.base, 'McAfee.{0,30}(?:Defense|Protection)')
12    or (
13      strings.icontains(sender.email.local_part, "mcafee")
14      and regex.icontains(subject.subject, 'billing|account|payment|unpaid')
15    )
16    or regex.icontains(sender.display_name,
17                       '^[\s[:punct:]]*mc\s*a+f+ee+(?:$|[^,])'
18    )
19    or (
20      any(ml.nlu_classifier(body.current_thread.text).entities,
21          .name in ("org", "sender") and strings.icontains(.text, 'mcafee')
22      )
23      and length(filter(ml.nlu_classifier(body.current_thread.text).entities,
24                        .name == "urgency"
25                 )
26      ) >= 2
27    )
28  )
29  and not any(ml.nlu_classifier(body.current_thread.text).topics,
30              .name in ("Newsletters and Digests", "Advertising and Promotions")
31              and .confidence != "low"
32  )
33  and not (
34    sender.email.domain.root_domain in ('mcafee.com', 'mcafeesecure.com')
35    and coalesce(headers.auth_summary.dmarc.pass, false)
36  )
37  and not (
38    sender.email.domain.root_domain in $high_trust_sender_root_domains
39    and coalesce(headers.auth_summary.dmarc.pass, false)
40  )  
41
42attack_types:
43  - "Credential Phishing"
44  - "BEC/Fraud"
45  - "Callback Phishing"
46tactics_and_techniques:
47  - "Impersonation: Brand"
48  - "Social engineering"
49detection_methods:
50  - "Content analysis"
51  - "Header analysis"
52  - "Natural Language Understanding"
53  - "Sender analysis"
54id: "6b593b92-b4f8-5a38-a2ba-216432df589c"
to-top