Brand impersonation: Purdue ePlanroom with suspicious links

calendar Dec 2, 2025  ·
Share on: linkedin copy

Detects messages impersonating Purdue ePlanroom with links that either not from the legitimate reprographix.com domain or contain suspicious credential theft indicators.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Purdue ePlanroom with suspicious links"
 2description: "Detects messages impersonating Purdue ePlanroom with links that either not from the legitimate reprographix.com domain or contain suspicious credential theft indicators."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and strings.icontains(body.current_thread.text, "Purdue ePlanroom")
 8  and (
 9    any(filter(body.links, strings.contains(.display_text, "Review This Project")),
10        .href_url.domain.root_domain != "reprographix.com"
11    )
12    or any(body.links, ml.link_analysis(.).credphish.disposition == "phishing")
13  )
14  and not (
15    sender.email.domain.root_domain == "reprographix.com"
16    and headers.auth_summary.dmarc.pass
17  )  
18
19attack_types:
20  - "Credential Phishing"
21  - "BEC/Fraud"
22tactics_and_techniques:
23  - "Impersonation: Brand"
24  - "Social engineering"
25detection_methods:
26  - "Content analysis"
27  - "Sender analysis"
28  - "URL analysis"
29id: "4db5b0b6-b2dd-5d39-9c74-baa6ddcf7e5b"
to-top