Brand Impersonation: Procore

calendar May 26, 2026  ·
Share on: linkedin copy

Detects messages containing Procore branding language that do not originate from legitimate Procore domains. This has been observed in phishing campaigns.

Sublime rule (View on GitHub)

 1name: "Brand Impersonation: Procore"
 2description: "Detects messages containing Procore branding language that do not originate from legitimate Procore domains. This has been observed in phishing campaigns."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    strings.ilike(body.current_thread.text, "*powered by procore*")
 9    or 2 of (
10      strings.icontains(body.current_thread.text, 'Procore'),
11      strings.icontains(body.current_thread.text, '6309 Carpinteria Ave'),
12      strings.icontains(body.current_thread.text, 'Carpinteria, CA 93013')
13    )
14    or (
15      strings.iends_with(sender.display_name, 'via Procore')
16      and any(body.current_thread.links,
17              .href_url.domain.root_domain in $free_subdomain_hosts
18      )
19    )
20  )
21  and not (
22    sender.email.domain.root_domain in ("procore.com", "procoretech.com")
23    and coalesce(headers.auth_summary.dmarc.pass, false)
24  )
25  
26  // negating legit replies/forwards
27  and not (
28    (
29      strings.istarts_with(subject.subject, "RE:")
30      or strings.istarts_with(subject.subject, "FW:")
31      or strings.istarts_with(subject.subject, "FWD:")
32      or regex.imatch(subject.subject,
33                      '(\[[^\]]+\]\s?){0,3}(re|fwd?|automat.*)\s?:.*'
34      )
35      or strings.istarts_with(subject.subject, "Réponse automatique")
36    )
37    and (
38      length(headers.references) > 0
39      and any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
40    )
41  )
42  // negate bounce backs
43  and not (
44    strings.like(sender.email.local_part,
45                 "*postmaster*",
46                 "*mailer-daemon*",
47                 "*administrator*"
48    )
49    and any(attachments,
50            .content_type in (
51              "message/rfc822",
52              "message/delivery-status",
53              "text/calendar"
54            )
55    )
56  )  
57
58attack_types:
59  - "BEC/Fraud"
60  - "Credential Phishing"
61tactics_and_techniques:
62  - "Impersonation: Brand"
63  - "Social engineering"
64detection_methods:
65  - "Content analysis"
66  - "Sender analysis"
67id: "74baa1e5-f1cd-5d15-b2f2-e863baf4a20f"
to-top