Brand Impersonation: Procore

calendar Jun 5, 2026  ·
Share on: linkedin copy

Detects messages containing Procore branding language that do not originate from legitimate Procore domains. This has been observed in phishing campaigns.

Sublime rule (View on GitHub)

 1name: "Brand Impersonation: Procore"
 2description: "Detects messages containing Procore branding language that do not originate from legitimate Procore domains. This has been observed in phishing campaigns."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    strings.ilike(body.current_thread.text, "*powered by procore*")
 9    or 2 of (
10      strings.icontains(body.current_thread.text, 'Procore'),
11      strings.icontains(body.current_thread.text, '6309 Carpinteria Ave'),
12      strings.icontains(body.current_thread.text, 'Carpinteria, CA 93013')
13    )
14    or (
15      strings.iends_with(sender.display_name, 'via Procore')
16      and any(body.current_thread.links,
17              .href_url.domain.root_domain in $free_subdomain_hosts
18      )
19    )
20  )
21  and not (
22    sender.email.domain.root_domain in ("procore.com", "procoretech.com")
23    and coalesce(headers.auth_summary.dmarc.pass, false)
24  )
25  
26  // negating legit replies/forwards
27  and not (
28    (
29      strings.istarts_with(subject.subject, "RE:")
30      or strings.istarts_with(subject.subject, "FW:")
31      or strings.istarts_with(subject.subject, "FWD:")
32      or regex.imatch(subject.subject,
33                      '(\[[^\]]+\]\s?){0,3}(re|fwd?|automat.*)\s?:.*'
34      )
35      or strings.istarts_with(subject.subject, "Réponse automatique")
36    )
37    and (length(headers.references) > 0 and headers.in_reply_to is not null)
38  )
39  // negate bounce backs
40  and not (
41    strings.like(sender.email.local_part,
42                 "*postmaster*",
43                 "*mailer-daemon*",
44                 "*administrator*"
45    )
46    and any(attachments,
47            .content_type in (
48              "message/rfc822",
49              "message/delivery-status",
50              "text/calendar"
51            )
52    )
53  )  
54attack_types:
55  - "BEC/Fraud"
56  - "Credential Phishing"
57tactics_and_techniques:
58  - "Impersonation: Brand"
59  - "Social engineering"
60detection_methods:
61  - "Content analysis"
62  - "Sender analysis"
63id: "74baa1e5-f1cd-5d15-b2f2-e863baf4a20f"
to-top