Impersonation: Fake product discount promotion

calendar Jun 16, 2026  ยท
Share on: linkedin copy

Detects messages containing fake product discount offers that leads to a googleapis.com domain.

Sublime rule (View on GitHub)

 1name: "Impersonation: Fake product discount promotion"
 2description: "Detects messages containing fake product discount offers that leads to a googleapis.com domain."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and strings.icontains(body.current_thread.text,
 8                        "hi {email}",
 9                        "participation is voluntary",
10                        "limit one discount",
11                        "limited time offer",
12                        "code",
13                        "survey"
14  )
15  and (
16    regex.icontains(body.current_thread.text, 'claim \d+% off')
17    or regex.icontains(body.current_thread.text, '\d+ question')
18  )
19  and any(body.current_thread.links,
20          .href_url.domain.root_domain == "googleapis.com"
21  )
22  and any(ml.nlu_classifier(body.current_thread.text).topics,
23          .name in ("Advertising and Promotions")
24  )
25  // negate highly trusted sender domains unless they fail DMARC authentication
26  and not (
27    sender.email.domain.root_domain in $high_trust_sender_root_domains
28    and coalesce(headers.auth_summary.dmarc.pass, false)
29  )  
30
31attack_types:
32  - "BEC/Fraud"
33tactics_and_techniques:
34  - "Social engineering"
35  - "Free file host"
36detection_methods:
37  - "Content analysis"
38  - "HTML analysis"
39  - "URL analysis"
40id: "1155c0b9-08ca-54fd-97cd-b3d357ba8538"
to-top