Brand impersonation: United Healthcare

Detects messages impersonating United Healthcare (UHC) by analyzing display names that contain variations of 'United Healthcare' or 'UHC', including those with character substitutions. The rule excludes legitimate messages from verified UHC domains that pass DMARC authentication and handles high-trust sender domains appropriately.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: United Healthcare"
 2description: "Detects messages impersonating United Healthcare (UHC) by analyzing display names that contain variations of 'United Healthcare' or 'UHC', including those with character substitutions. The rule excludes legitimate messages from verified UHC domains that pass DMARC authentication and handles high-trust sender domains appropriately."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    // display name contains UHC
 9    (
10      strings.ilike(strings.replace_confusables(sender.display_name),
11                    '*united healthcare*'
12      )
13      or strings.ilike(strings.replace_confusables(sender.display_name), 'UHC*')
14    )
15    // levenshtein distance similar to UHC
16    or strings.ilevenshtein(strings.replace_confusables(sender.display_name),
17                            'united healthcare'
18    ) <= 1
19  )
20  // and the sender is not in org_domains or from UHC domains and passes auth
21  and not (
22    sender.email.domain.root_domain in $org_domains
23    or (
24      (
25        sender.email.domain.root_domain in (
26          "uhc.com",
27          "unitedhealthcare.com",
28          "uhcmedicaresolutions.com",
29          "unitedhealthcareupdate.com",
30          "yourhealth-wellnessteam.com",
31          "uhc-customer.com"
32        )
33        or sender.display_name in (
34          "UHCOM Faculty Affairs",
35          "UHC Construction Services"
36        )
37      )
38      and headers.auth_summary.dmarc.pass
39    )
40  )
41  // and the sender is not from high trust sender root domains
42  and (
43    (
44      sender.email.domain.root_domain in $high_trust_sender_root_domains
45      and not headers.auth_summary.dmarc.pass
46    )
47    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
48  )  
49
50attack_types:
51  - "Credential Phishing"
52tactics_and_techniques:
53  - "Impersonation: Brand"
54  - "Social engineering"
55detection_methods:
56  - "Header analysis"
57  - "Sender analysis"
58id: "f8dfff1a-8f3e-5301-b2d7-b68a78ad34db"
to-top