Brand impersonation: Robert Half
Detects messages impersonating Robert Half, a staffing and recruiting company, by analyzing sender display names, logo detection in message screenshots, and specific company address references in the message body. The rule flags messages from senders not authenticated from legitimate Robert Half domains.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Robert Half"
2description: "Detects messages impersonating Robert Half, a staffing and recruiting company, by analyzing sender display names, logo detection in message screenshots, and specific company address references in the message body. The rule flags messages from senders not authenticated from legitimate Robert Half domains."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and (
8 strings.icontains(sender.display_name, "Robert Half")
9 or (
10 any(ml.logo_detect(file.message_screenshot()).brands,
11 .name == "Robert Half"
12 )
13 and strings.icontains(sender.display_name, "Robert Half")
14 )
15 or 2 of (
16 strings.icontains(body.current_thread.text, 'Robert Half'),
17 strings.icontains(body.current_thread.text, '2884 Sand Hill Road'),
18 strings.icontains(body.current_thread.text, 'Menlo Park, CA 94025')
19 )
20 )
21 // not a forward or reply
22 and (headers.in_reply_to is null or length(headers.references) == 0)
23 and not any(ml.nlu_classifier(body.current_thread.text).topics,
24 .name in (
25 "Newsletters and Digests",
26 "Voicemail Call and Missed Call Notifications",
27 "Advertising and Promotions"
28 )
29 and .confidence != "low"
30 )
31 // and the sender is not in org_domains or from Robert Half domains and passes auth
32 and not (
33 sender.email.domain.root_domain in $org_domains
34 or (
35 sender.email.domain.root_domain in (
36 "roberthalf.com",
37 "roberthalf.be",
38 "service-now.com",
39 "protiviti.com",
40 "atlassian.net",
41 "workday.com",
42 "myworkday.com"
43 )
44 and headers.auth_summary.dmarc.pass
45 )
46 )
47
48attack_types:
49 - "BEC/Fraud"
50 - "Credential Phishing"
51tactics_and_techniques:
52 - "Impersonation: Brand"
53 - "Social engineering"
54detection_methods:
55 - "Computer Vision"
56 - "Content analysis"
57 - "Header analysis"
58 - "Sender analysis"
59id: "74f8826c-6bf8-5e7d-8c75-1f06a98921a4"