Brand Impersonation: Procore
Detects messages containing Procore branding language that do not originate from legitimate Procore domains. This has been observed in phishing campaigns.
Sublime rule (View on GitHub)
1name: "Brand Impersonation: Procore"
2description: "Detects messages containing Procore branding language that do not originate from legitimate Procore domains. This has been observed in phishing campaigns."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and (
8 strings.ilike(body.current_thread.text, "*powered by procore*")
9 or 2 of (
10 strings.icontains(body.current_thread.text, 'Procore'),
11 strings.icontains(body.current_thread.text, '6309 Carpinteria Ave'),
12 strings.icontains(body.current_thread.text, 'Carpinteria, CA 93013')
13 )
14 )
15 and not (
16 sender.email.domain.root_domain in ("procore.com", "procoretech.com")
17 and coalesce(headers.auth_summary.dmarc.pass, false)
18 )
19
20 // negating legit replies/forwards
21 and not (
22 (
23 strings.istarts_with(subject.subject, "RE:")
24 or strings.istarts_with(subject.subject, "FW:")
25 or strings.istarts_with(subject.subject, "FWD:")
26 or regex.imatch(subject.subject,
27 '(\[[^\]]+\]\s?){0,3}(re|fwd?|automat.*)\s?:.*'
28 )
29 or strings.istarts_with(subject.subject, "Réponse automatique")
30 )
31 and (
32 length(headers.references) > 0
33 and any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
34 )
35 )
36 // negate bounce backs
37 and not (
38 strings.like(sender.email.local_part,
39 "*postmaster*",
40 "*mailer-daemon*",
41 "*administrator*"
42 )
43 and any(attachments,
44 .content_type in (
45 "message/rfc822",
46 "message/delivery-status",
47 "text/calendar"
48 )
49 )
50 )
51
52attack_types:
53 - "BEC/Fraud"
54 - "Credential Phishing"
55tactics_and_techniques:
56 - "Impersonation: Brand"
57 - "Social engineering"
58detection_methods:
59 - "Content analysis"
60 - "Sender analysis"
61id: "74baa1e5-f1cd-5d15-b2f2-e863baf4a20f"