Brand impersonation: McAfee

 1name: "Brand impersonation: McAfee"
 2description: "Detects messages impersonating McAfee through display name, subject line, body content, or NLU entity detection when the sender is not from verified McAfee domains or other high-trust domains with valid DMARC authentication."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    regex.icontains(body.current_thread.text,
 9                    'McAfee.{0,30}(?:Defense|Protection)'
10    )
11    or regex.icontains(subject.base, 'McAfee.{0,30}(?:Defense|Protection)')
12    or regex.icontains(sender.display_name,
13                       '^[\s[:punct:]]*mc\s*a+f+ee+(?:$|[^,])'
14    )
15    or (
16      any(ml.nlu_classifier(body.current_thread.text).entities,
17          .name in ("org", "sender") and strings.icontains(.text, 'mcafee')
18      )
19      and length(filter(ml.nlu_classifier(body.current_thread.text).entities,
20                        .name == "urgency"
21                 )
22      ) >= 2
23    )
24  )
25  and not any(ml.nlu_classifier(body.current_thread.text).topics,
26              .name in ("Newsletters and Digests", "Advertising and Promotions")
27              and .confidence != "low"
28  )
29  and not (
30    sender.email.domain.root_domain in ('mcafee.com', 'mcafeesecure.com')
31    and headers.auth_summary.dmarc.pass
32  )
33  and not (
34    sender.email.domain.root_domain in $high_trust_sender_root_domains
35    and headers.auth_summary.dmarc.pass
36  )  
37
38attack_types:
39  - "Credential Phishing"
40  - "BEC/Fraud"
41  - "Callback Phishing"
42tactics_and_techniques:
43  - "Impersonation: Brand"
44  - "Social engineering"
45detection_methods:
46  - "Content analysis"
47  - "Header analysis"
48  - "Natural Language Understanding"
49  - "Sender analysis"
50id: "6b593b92-b4f8-5a38-a2ba-216432df589c"