Brand Impersonation: Procore
Detects messages containing Procore branding language that do not originate from legitimate Procore domains. This has been observed in phishing campaigns.
Sublime rule (View on GitHub)
1name: "Brand Impersonation: Procore"
2description: "Detects messages containing Procore branding language that do not originate from legitimate Procore domains. This has been observed in phishing campaigns."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and strings.ilike(body.current_thread.text, "*powered by procore*")
8 and not sender.email.domain.root_domain in ("procore.com", "procoretech.com")
9
10 // negating legit replies/forwards
11 and not (
12 (
13 strings.istarts_with(subject.subject, "RE:")
14 or strings.istarts_with(subject.subject, "FW:")
15 or strings.istarts_with(subject.subject, "FWD:")
16 or regex.imatch(subject.subject,
17 '(\[[^\]]+\]\s?){0,3}(re|fwd?|automat.*)\s?:.*'
18 )
19 or strings.istarts_with(subject.subject, "Réponse automatique")
20 )
21 and (
22 length(headers.references) > 0
23 and any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
24 )
25 )
26 // negate bounce backs
27 and not (
28 strings.like(sender.email.local_part,
29 "*postmaster*",
30 "*mailer-daemon*",
31 "*administrator*"
32 )
33 and any(attachments,
34 .content_type in (
35 "message/rfc822",
36 "message/delivery-status",
37 "text/calendar"
38 )
39 )
40 )
41
42attack_types:
43 - "BEC/Fraud"
44 - "Credential Phishing"
45tactics_and_techniques:
46 - "Impersonation: Brand"
47 - "Social engineering"
48detection_methods:
49 - "Content analysis"
50 - "Sender analysis"
51id: "74baa1e5-f1cd-5d15-b2f2-e863baf4a20f"