Brand impersonation: Proofpoint secure messaging without legitimate indicators

Detects messages impersonating Proofpoint secure messaging services that contain Proofpoint branding text but lack legitimate Proofpoint secure sharing URIs or authentic attachment indicators, suggesting fraudulent use of the brand.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Proofpoint secure messaging without legitimate indicators"
 2description: "Detects messages impersonating Proofpoint secure messaging services that contain Proofpoint branding text but lack legitimate Proofpoint secure sharing URIs or authentic attachment indicators, suggesting fraudulent use of the brand."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and (
 8    // matching proofpoint secure messaging
 9    (
10      strings.contains(body.current_thread.text,
11                       "Secured by Proofpoint Encryption,"
12      )
13      and not strings.iends_with(body.current_thread.text,
14                                 "Secured by Proofpoint Encryption, Copyright © 2009-2016 Proofpoint, Inc. All rights reserved."
15      )
16    )
17    or regex.icontains(body.current_thread.text,
18                       ('Copyright © 2009-202\d Proofpoint, Inc.')
19    )
20    or strings.icontains(body.html.raw, '<h1>Proofpoint |')
21    // body.html contains a suspicious title impersonating proofpoint
22    or (
23      any(html.xpath(body.html, '//title').nodes,
24          strings.icontains(.raw, "secure access")
25          and strings.icontains(.raw, 'Proofpoint')
26      )
27    )
28    // no links but has attachments which impersonate proofpoint
29    or any(attachments,
30           strings.icontains(file.parse_text(.).text, '<h1>Proofpoint |')
31           or any(html.xpath(file.parse_html(.), '//title').nodes,
32                  strings.icontains(.raw, "secure access")
33                  and strings.icontains(.raw, 'Proofpoint')
34           )
35    )
36  )
37  and (
38    // contains a link
39    length(body.current_thread.links) >= 1
40    // or an attachment (legit attachments negated in stanza below)
41    or length(attachments) > 0
42  )
43  
44  // pfpt secure share uri
45  and not (
46    any(body.links,
47        // negate the actual dest of the legit "click here" link
48        .href_url.path == "/formpostdir/securereader"
49        // negate where the link domain is mimecast and check LA for the pfpt URI
50        or (
51          .href_url.domain.root_domain == "mimecastprotect.com"
52          and (
53            ml.link_analysis(., mode="aggressive").effective_url.path == "/formpostdir/securereader"
54            or any(ml.link_analysis(., mode="aggressive").redirect_history,
55                   .path == "/formpostdir/securereader"
56            )
57          )
58        )
59        or (
60          .href_url.domain.root_domain == "mimecastprotect.com"
61          and .display_text =~ "Click here"
62          and strings.parse_domain(.href_url.query_params_decoded["domain"][0]).root_domain == sender.email.domain.root_domain
63        )
64    )
65  )
66  // negate actual SecureMessageAtt.html links that ave been quarantined by mimecast
67  and not any(attachments,
68              // pfpt attachment file
69              .file_name == "SecureMessageAtt.html"
70              // mimecast quarantine details
71              or (
72                .content_type == "message/rfc822"
73                and length(file.parse_eml(.).body.links) == 1
74                and any(file.parse_eml(.).body.links,
75                        .display_text == "download it"
76                        and .href_url.domain.root_domain == "mimecast.com"
77                )
78                and strings.ends_with(file.parse_eml(.).headers.message_id,
79                                      "@localhost>"
80                )
81              )
82  )  
83attack_types:
84  - "Credential Phishing"
85tactics_and_techniques:
86  - "Impersonation: Brand"
87  - "Social engineering"
88detection_methods:
89  - "Content analysis"
90  - "File analysis"
91  - "Header analysis"
92  - "URL analysis"
93id: "84b72d02-f80c-56d0-9b42-c5f92750ec11"
to-top