Brand Impersonation: Procore

 1name: "Brand Impersonation: Procore"
 2description: "Detects messages containing Procore branding language that do not originate from legitimate Procore domains. This has been observed in phishing campaigns."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and strings.ilike(body.current_thread.text, "*powered by procore*")
 8  and not sender.email.domain.root_domain in ("procore.com", "procoretech.com")
 9  
10  // negating legit replies/forwards
11  and not (
12    (
13      strings.istarts_with(subject.subject, "RE:")
14      or strings.istarts_with(subject.subject, "FW:")
15      or strings.istarts_with(subject.subject, "FWD:")
16      or regex.imatch(subject.subject,
17                      '(\[[^\]]+\]\s?){0,3}(re|fwd?|automat.*)\s?:.*'
18      )
19      or strings.istarts_with(subject.subject, "Réponse automatique")
20    )
21    and (
22      length(headers.references) > 0
23      and any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
24    )
25  )
26  // negate bounce backs
27  and not (
28    strings.like(sender.email.local_part,
29                 "*postmaster*",
30                 "*mailer-daemon*",
31                 "*administrator*"
32    )
33    and any(attachments,
34            .content_type in (
35              "message/rfc822",
36              "message/delivery-status",
37              "text/calendar"
38            )
39    )
40  )  
41
42attack_types:
43  - "BEC/Fraud"
44  - "Credential Phishing"
45tactics_and_techniques:
46  - "Impersonation: Brand"
47  - "Social engineering"
48detection_methods:
49  - "Content analysis"
50  - "Sender analysis"
51id: "74baa1e5-f1cd-5d15-b2f2-e863baf4a20f"