Brand impersonation: Proofpoint secure messaging without legitimate indicators
Detects messages impersonating Proofpoint secure messaging services that contain Proofpoint branding text but lack legitimate Proofpoint secure sharing URIs or authentic attachment indicators, suggesting fraudulent use of the brand.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Proofpoint secure messaging without legitimate indicators"
2description: "Detects messages impersonating Proofpoint secure messaging services that contain Proofpoint branding text but lack legitimate Proofpoint secure sharing URIs or authentic attachment indicators, suggesting fraudulent use of the brand."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and (
8 // matching proofpoint secure messaging
9 (
10 strings.contains(body.current_thread.text,
11 "Secured by Proofpoint Encryption,"
12 )
13 and not strings.iends_with(body.current_thread.text,
14 "Secured by Proofpoint Encryption, Copyright © 2009-2016 Proofpoint, Inc. All rights reserved."
15 )
16 )
17 or regex.icontains(body.current_thread.text,
18 ('Copyright © 2009-202\d Proofpoint, Inc.')
19 )
20 or strings.icontains(body.html.raw, '<h1>Proofpoint |')
21 // body.html contains a suspicious title impersonating proofpoint
22 or (
23 any(html.xpath(body.html, '//title').nodes,
24 strings.icontains(.raw, "secure access")
25 and strings.icontains(.raw, 'Proofpoint')
26 )
27 )
28 // no links but has attachments which impersonate proofpoint
29 or any(attachments,
30 strings.icontains(file.parse_text(.).text, '<h1>Proofpoint |')
31 or any(html.xpath(file.parse_html(.), '//title').nodes,
32 strings.icontains(.raw, "secure access")
33 and strings.icontains(.raw, 'Proofpoint')
34 )
35 )
36 )
37 and (
38 // contains a link
39 length(body.current_thread.links) >= 1
40 // or an attachment (legit attachments negated in stanza below)
41 or length(attachments) > 0
42 )
43
44 // pfpt secure share uri
45 and not (
46 any(body.links,
47 // negate the actual dest of the legit "click here" link
48 .href_url.path == "/formpostdir/securereader"
49 // negate where the link domain is mimecast and check LA for the pfpt URI
50 or (
51 .href_url.domain.root_domain == "mimecastprotect.com"
52 and (
53 ml.link_analysis(., mode="aggressive").effective_url.path == "/formpostdir/securereader"
54 or any(ml.link_analysis(., mode="aggressive").redirect_history,
55 .path == "/formpostdir/securereader"
56 )
57 )
58 )
59 or (
60 .href_url.domain.root_domain == "mimecastprotect.com"
61 and .display_text =~ "Click here"
62 and strings.parse_domain(.href_url.query_params_decoded["domain"][0]).root_domain == sender.email.domain.root_domain
63 )
64 )
65 )
66 // negate actual SecureMessageAtt.html links that ave been quarantined by mimecast
67 and not any(attachments,
68 // pfpt attachment file
69 .file_name == "SecureMessageAtt.html"
70 // mimecast quarantine details
71 or (
72 .content_type == "message/rfc822"
73 and length(file.parse_eml(.).body.links) == 1
74 and any(file.parse_eml(.).body.links,
75 .display_text == "download it"
76 and .href_url.domain.root_domain == "mimecast.com"
77 )
78 and strings.ends_with(file.parse_eml(.).headers.message_id,
79 "@localhost>"
80 )
81 )
82 )
83attack_types:
84 - "Credential Phishing"
85tactics_and_techniques:
86 - "Impersonation: Brand"
87 - "Social engineering"
88detection_methods:
89 - "Content analysis"
90 - "File analysis"
91 - "Header analysis"
92 - "URL analysis"
93id: "84b72d02-f80c-56d0-9b42-c5f92750ec11"