Brand impersonation: McAfee
Detects messages impersonating McAfee through display name, subject line, body content, or NLU entity detection when the sender is not from verified McAfee domains or other high-trust domains with valid DMARC authentication.
Sublime rule (View on GitHub)
1name: "Brand impersonation: McAfee"
2description: "Detects messages impersonating McAfee through display name, subject line, body content, or NLU entity detection when the sender is not from verified McAfee domains or other high-trust domains with valid DMARC authentication."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and (
8 regex.icontains(body.current_thread.text,
9 'McAfee.{0,30}(?:Defense|Protection)'
10 )
11 or regex.icontains(subject.base, 'McAfee.{0,30}(?:Defense|Protection)')
12 or (
13 strings.icontains(sender.email.local_part, "mcafee")
14 and regex.icontains(subject.subject, 'billing|account|payment|unpaid')
15 )
16 or regex.icontains(sender.display_name,
17 '^[\s[:punct:]]*mc\s*a+f+ee+(?:$|[^,])'
18 )
19 or (
20 any(ml.nlu_classifier(body.current_thread.text).entities,
21 .name in ("org", "sender") and strings.icontains(.text, 'mcafee')
22 )
23 and length(filter(ml.nlu_classifier(body.current_thread.text).entities,
24 .name == "urgency"
25 )
26 ) >= 2
27 )
28 )
29 and not any(ml.nlu_classifier(body.current_thread.text).topics,
30 .name in ("Newsletters and Digests", "Advertising and Promotions")
31 and .confidence != "low"
32 )
33 and not (
34 sender.email.domain.root_domain in ('mcafee.com', 'mcafeesecure.com')
35 and coalesce(headers.auth_summary.dmarc.pass, false)
36 )
37 and not (
38 sender.email.domain.root_domain in $high_trust_sender_root_domains
39 and coalesce(headers.auth_summary.dmarc.pass, false)
40 )
41
42attack_types:
43 - "Credential Phishing"
44 - "BEC/Fraud"
45 - "Callback Phishing"
46tactics_and_techniques:
47 - "Impersonation: Brand"
48 - "Social engineering"
49detection_methods:
50 - "Content analysis"
51 - "Header analysis"
52 - "Natural Language Understanding"
53 - "Sender analysis"
54id: "6b593b92-b4f8-5a38-a2ba-216432df589c"