Brand impersonation: Navan

calendar Feb 9, 2026  ยท
Share on: linkedin copy

Impersonation of the expense management provider Navan.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Navan"
 2description: "Impersonation of the expense management provider Navan."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    regex.icontains(sender.display_name, '(?:The\s+)?\bNavan\b(?:\s+Team)?')
 9    or strings.ilike(sender.email.domain.domain, '*Navan*')
10    or 2 of (
11      strings.icontains(body.current_thread.text, 'Navan'),
12      strings.icontains(body.current_thread.text, '3045 Park Blvd'),
13      strings.icontains(body.current_thread.text, 'Palo Alto, CA 94306')
14    )
15  )
16  and (
17    any(ml.logo_detect(file.message_screenshot()).brands,
18        .name == "Navan" and .confidence in ("medium", "high")
19    )
20    or (
21      regex.icontains(subject.subject,
22                      "(?:unrecognized|Unusual|suspicious|unknown) (?:log|sign).?[io]n attempt",
23                      "(?:important|urgent|attention|alert) account|accessed|[new|unrecognized|suspicious] location"
24      )
25      or any(ml.nlu_classifier(body.current_thread.text).entities,
26             .name == "urgency"
27      )
28      or any(ml.nlu_classifier(body.current_thread.text).intents,
29             .name in ("cred_theft", "steal_pii")
30      )
31    )
32  )
33  and sender.email.domain.root_domain not in~ ('navan.com')
34
35  // negate highly trusted sender domains unless they fail DMARC authentication
36  and (
37    (
38      sender.email.domain.root_domain in $high_trust_sender_root_domains
39      and not headers.auth_summary.dmarc.pass
40    )
41    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
42  )
43  and (
44    not profile.by_sender().solicited
45    or (
46      profile.by_sender().any_messages_malicious_or_spam
47      and not profile.by_sender().any_messages_benign
48    )
49  )
50  and not profile.by_sender().any_messages_benign  
51attack_types:
52  - "Credential Phishing"
53tactics_and_techniques:
54  - "Impersonation: Brand"
55  - "Social engineering"
56  - "Spoofing"
57detection_methods:
58  - "Sender analysis"
59  - "Natural Language Understanding"
60  - "URL analysis"
61  - "Content analysis"
62id: "3573e9a8-0ab7-5693-8386-8c75c95659b2"
to-top