Brand impersonation: Proofpoint secure messaging without legitimate indicators

calendar Nov 17, 2025  ·
Share on: linkedin copy

Detects messages impersonating Proofpoint secure messaging services that contain Proofpoint branding text but lack legitimate Proofpoint secure sharing URIs or authentic attachment indicators, suggesting fraudulent use of the brand.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Proofpoint secure messaging without legitimate indicators"
 2description: "Detects messages impersonating Proofpoint secure messaging services that contain Proofpoint branding text but lack legitimate Proofpoint secure sharing URIs or authentic attachment indicators, suggesting fraudulent use of the brand."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and (
 8    // matching proofpoint secure messaging
 9    strings.contains(body.current_thread.text,
10                     "Secured by Proofpoint Encryption,"
11    )
12    or regex.icontains(body.current_thread.text,
13                       ('Copyright © 2009-202\d Proofpoint, Inc.')
14    )
15  )
16  and length(body.current_thread.links) >= 1
17  // pfpt secure share uri
18  and not (
19    any(body.links,
20        // negate the actual dest of the legit "click here" link
21        .href_url.path == "/formpostdir/securereader"
22        // negate where the link domain is mimecast and check LA for the pfpt URI
23        or (
24          .href_url.domain.root_domain == "mimecastprotect.com"
25          and (
26            ml.link_analysis(., mode="aggressive").effective_url.path == "/formpostdir/securereader"
27            or any(ml.link_analysis(., mode="aggressive").redirect_history,
28                   .path == "/formpostdir/securereader"
29            )
30          )
31        )
32        or (
33          .href_url.domain.root_domain == "mimecastprotect.com"
34          and .display_text =~ "Click here"
35          and strings.parse_domain(.href_url.query_params_decoded["domain"][0]).root_domain == sender.email.domain.root_domain
36        )
37    )
38  )
39  // negate actual SecureMessageAtt.html links that ave been quarantined by mimecast
40  and not any(attachments,
41              // pfpt attachment file
42              .file_name == "SecureMessageAtt.html"
43              // mimecast quarantine details
44              or (
45                .content_type == "message/rfc822"
46                and length(file.parse_eml(.).body.links) == 1
47                and any(file.parse_eml(.).body.links,
48                        .display_text == "download it"
49                        and .href_url.domain.root_domain == "mimecast.com"
50                )
51                and strings.ends_with(file.parse_eml(.).headers.message_id,
52                                      "@localhost>"
53                )
54              )
55  )  
56attack_types:
57  - "Credential Phishing"
58tactics_and_techniques:
59  - "Impersonation: Brand"
60  - "Social engineering"
61detection_methods:
62  - "Content analysis"
63  - "File analysis"
64  - "Header analysis"
65  - "URL analysis"
66id: "84b72d02-f80c-56d0-9b42-c5f92750ec11"
to-top