Brand impersonation: State Farm

calendar Dec 17, 2025  ·
Share on: linkedin copy

Detects messages impersonating State Farm insurance company through display name spoofing or similar variations, excluding legitimate communications from verified State Farm domains with proper DMARC authentication.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: State Farm"
 2description: "Detects messages impersonating State Farm insurance company through display name spoofing or similar variations, excluding legitimate communications from verified State Farm domains with proper DMARC authentication."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    regex.icontains(sender.display_name, 'state\s?farm')
 9    and not (
10      strings.icontains(sender.display_name, "state farm")
11      and (
12        strings.icontains(sender.display_name, "center")
13        or strings.icontains(sender.display_name, "arena")
14        or strings.icontains(sender.display_name, "stadium")
15        or strings.icontains(sender.display_name, "hall")
16        or strings.icontains(sender.display_name, "classic")
17        or strings.icontains(sender.display_name, "showdown")
18        or strings.icontains(sender.display_name, "perks at work")
19      )
20    )
21  )
22  
23  // and the sender is not in org_domains or from State Farm domains
24  and not (
25    (
26      sender.email.domain.root_domain in $org_domains
27      or sender.email.domain.root_domain in $high_trust_sender_root_domains
28      or sender.email.domain.root_domain in (
29        "statefarm.com",
30        "statefarminsurance.com",
31        "statefarm.ca",
32        "statefarmbank.com",
33        "sfauthentication.com",
34        "statefarmarena.com",
35        "statefarmservice.com",
36        "statefarmisthere.com",
37        "digitalpayouts.com", // State Farm use this domain for claim payouts
38        "aravo.com", // risk management company State Farm uses
39        "statefarmclaims.com",
40        "statefarmfeedback.com", // legit survey
41        "statefarmsurveys.com", // legit survey
42        "nationalesurvey.com"
43      )
44    )
45  )
46  // negate highly trusted sender domains unless they fail DMARC authentication
47  and not (
48    sender.email.domain.root_domain in $high_trust_sender_root_domains
49    and coalesce(headers.auth_summary.dmarc.pass, false)
50  )  
51
52attack_types:
53  - "Credential Phishing"
54tactics_and_techniques:
55  - "Impersonation: Brand"
56  - "Social engineering"
57  - "Spoofing"
58detection_methods:
59  - "Header analysis"
60  - "Sender analysis"
61id: "bcf7eba0-ac94-52c7-81b3-5abd8019f564"
to-top