Brand impersonation: Proofpoint secure messaging without legitimate indicators

calendar Nov 14, 2025  ·
Share on: linkedin copy

Detects messages impersonating Proofpoint secure messaging services that contain Proofpoint branding text but lack legitimate Proofpoint secure sharing URIs or authentic attachment indicators, suggesting fraudulent use of the brand.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Proofpoint secure messaging without legitimate indicators"
 2description: "Detects messages impersonating Proofpoint secure messaging services that contain Proofpoint branding text but lack legitimate Proofpoint secure sharing URIs or authentic attachment indicators, suggesting fraudulent use of the brand."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and (
 8    // matching proofpoint secure messaging
 9    strings.contains(body.current_thread.text,
10                     "Secured by Proofpoint Encryption,"
11    )
12    or regex.icontains(body.current_thread.text,
13                       ('Copyright © 2009-202\d Proofpoint, Inc.')
14    )
15  )
16  // pfpt secure share uri
17  and not (
18    any(body.links,
19        // negate the actual dest of the legit "click here" link
20        .href_url.path == "/formpostdir/securereader"
21        // negate where the link domain is mimecast and check LA for the pfpt URI
22        or (
23          .href_url.domain.root_domain == "mimecastprotect.com"
24          and ml.link_analysis(., mode="aggressive").effective_url.path == "/formpostdir/securereader"
25        )
26    )
27  )
28  // negate actual SecureMessageAtt.html links that ave been quarantined by mimecast
29  and not any(attachments,
30              // pfpt attachment file
31              .file_name == "SecureMessageAtt.html"
32              // mimecast quarantine details
33              or (
34                .content_type == "message/rfc822"
35                and length(file.parse_eml(.).body.links) == 1
36                and any(file.parse_eml(.).body.links,
37                        .display_text == "download it"
38                        and .href_url.domain.root_domain == "mimecast.com"
39                )
40                and strings.ends_with(file.parse_eml(.).headers.message_id,
41                                      "@localhost>"
42                )
43              )
44  )  
45attack_types:
46  - "Credential Phishing"
47tactics_and_techniques:
48  - "Impersonation: Brand"
49  - "Social engineering"
50detection_methods:
51  - "Content analysis"
52  - "File analysis"
53  - "Header analysis"
54  - "URL analysis"
55id: "84b72d02-f80c-56d0-9b42-c5f92750ec11"
to-top