Brand impersonation: Robert Half

calendar Oct 1, 2025  ·
Share on: linkedin copy

Detects messages impersonating Robert Half, a staffing and recruiting company, by analyzing sender display names, logo detection in message screenshots, and specific company address references in the message body. The rule flags messages from senders not authenticated from legitimate Robert Half domains.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Robert Half"
 2description: "Detects messages impersonating Robert Half, a staffing and recruiting company, by analyzing sender display names, logo detection in message screenshots, and specific company address references in the message body. The rule flags messages from senders not authenticated from legitimate Robert Half domains."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    strings.icontains(sender.display_name, "Robert Half")
 9    or (
10      any(ml.logo_detect(file.message_screenshot()).brands,
11          .name == "Robert Half"
12      )
13      and strings.icontains(sender.display_name, "Robert Half")
14    )
15    or 2 of (
16      strings.icontains(body.current_thread.text, 'Robert Half'),
17      strings.icontains(body.current_thread.text, '2884 Sand Hill Road'),
18      strings.icontains(body.current_thread.text, 'Menlo Park, CA 94025')
19    )
20  )
21  // not a forward or reply
22  and (headers.in_reply_to is null or length(headers.references) == 0)
23  and not any(ml.nlu_classifier(body.current_thread.text).topics,
24              .name in (
25                "Newsletters and Digests",
26                "Voicemail Call and Missed Call Notifications",
27                "Advertising and Promotions"
28              )
29              and .confidence != "low"
30  )
31  // and the sender is not in org_domains or from Robert Half domains and passes auth
32  and not (
33    sender.email.domain.root_domain in $org_domains
34    or (
35      sender.email.domain.root_domain in (
36        "roberthalf.com",
37        "roberthalf.be",
38        "service-now.com",
39        "protiviti.com",
40        "atlassian.net",
41        "workday.com",
42        "myworkday.com"
43      )
44      and headers.auth_summary.dmarc.pass
45    )
46  )  
47
48attack_types:
49  - "BEC/Fraud"
50  - "Credential Phishing"
51tactics_and_techniques:
52  - "Impersonation: Brand"
53  - "Social engineering"
54detection_methods:
55  - "Computer Vision"
56  - "Content analysis"
57  - "Header analysis"
58  - "Sender analysis"
59id: "74f8826c-6bf8-5e7d-8c75-1f06a98921a4"
to-top