Brand impersonation: United Healthcare
Detects messages impersonating United Healthcare (UHC) by analyzing display names that contain variations of 'United Healthcare' or 'UHC', including those with character substitutions. The rule excludes legitimate messages from verified UHC domains that pass DMARC authentication and handles high-trust sender domains appropriately.
Sublime rule (View on GitHub)
1name: "Brand impersonation: United Healthcare"
2description: "Detects messages impersonating United Healthcare (UHC) by analyzing display names that contain variations of 'United Healthcare' or 'UHC', including those with character substitutions. The rule excludes legitimate messages from verified UHC domains that pass DMARC authentication and handles high-trust sender domains appropriately."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and (
8 // display name contains UHC
9 (
10 strings.ilike(strings.replace_confusables(sender.display_name),
11 '*united healthcare*'
12 )
13 or strings.ilike(strings.replace_confusables(sender.display_name), 'UHC*')
14 )
15 // levenshtein distance similar to UHC
16 or strings.ilevenshtein(strings.replace_confusables(sender.display_name),
17 'united healthcare'
18 ) <= 1
19 )
20 // and the sender is not in org_domains or from UHC domains and passes auth
21 and not (
22 sender.email.domain.root_domain in $org_domains
23 or (
24 (
25 sender.email.domain.root_domain in (
26 "uhc.com",
27 "unitedhealthcare.com",
28 "uhcmedicaresolutions.com",
29 "unitedhealthcareupdate.com",
30 "yourhealth-wellnessteam.com",
31 "uhc-customer.com"
32 )
33 or sender.display_name in (
34 "UHCOM Faculty Affairs",
35 "UHC Construction Services"
36 )
37 )
38 and headers.auth_summary.dmarc.pass
39 )
40 )
41 // and the sender is not from high trust sender root domains
42 and (
43 (
44 sender.email.domain.root_domain in $high_trust_sender_root_domains
45 and not headers.auth_summary.dmarc.pass
46 )
47 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
48 )
49
50attack_types:
51 - "Credential Phishing"
52tactics_and_techniques:
53 - "Impersonation: Brand"
54 - "Social engineering"
55detection_methods:
56 - "Header analysis"
57 - "Sender analysis"
58id: "f8dfff1a-8f3e-5301-b2d7-b68a78ad34db"