Brand impersonation: United Healthcare

calendar Oct 8, 2025  ·
Share on: linkedin copy

Detects messages impersonating United Healthcare (UHC) by analyzing display names that contain variations of 'United Healthcare' or 'UHC', including those with character substitutions. The rule excludes legitimate messages from verified UHC domains that pass DMARC authentication and handles high-trust sender domains appropriately.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: United Healthcare"
 2description: "Detects messages impersonating United Healthcare (UHC) by analyzing display names that contain variations of 'United Healthcare' or 'UHC', including those with character substitutions. The rule excludes legitimate messages from verified UHC domains that pass DMARC authentication and handles high-trust sender domains appropriately."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    // display name contains UHC
 9    (
10      strings.ilike(strings.replace_confusables(sender.display_name),
11                    '*united healthcare*'
12      )
13      or strings.ilike(strings.replace_confusables(sender.display_name), 'UHC*')
14      or regex.icontains(sender.display_name, 'united ?health ?care')
15    )
16    // levenshtein distance similar to UHC
17    or strings.ilevenshtein(strings.replace_confusables(sender.display_name),
18                            'united healthcare'
19    ) <= 1
20    or (
21      regex.icontains(body.current_thread.text, 'united ?health ?care')
22      and regex.icontains(body.current_thread.text, 'quick .{0,10}survey')
23    )
24  )
25  // and the sender is not in org_domains or from UHC domains and passes auth
26  and not (
27    sender.email.domain.root_domain in $org_domains
28    or (
29      (
30        sender.email.domain.root_domain in (
31          "uhc.com",
32          "unitedhealthcare.com",
33          "uhcmedicaresolutions.com",
34          "unitedhealthcareupdate.com",
35          "yourhealth-wellnessteam.com",
36          "uhc-customer.com",
37          "leavesource.com"
38        )
39        or sender.display_name in (
40          "UHCOM Faculty Affairs",
41          "UHC Construction Services"
42        )
43      )
44      and headers.auth_summary.dmarc.pass
45    )
46  )
47  // negate UHC job related posting
48  and not any(ml.nlu_classifier(body.current_thread.text).topics,
49              .name == "Professional and Career Development"
50              and .confidence == "high"
51  )
52  // and the sender is not from high trust sender root domains
53  and (
54    (
55      sender.email.domain.root_domain in $high_trust_sender_root_domains
56      and not headers.auth_summary.dmarc.pass
57    )
58    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
59  )  
60
61attack_types:
62  - "Credential Phishing"
63tactics_and_techniques:
64  - "Impersonation: Brand"
65  - "Social engineering"
66detection_methods:
67  - "Header analysis"
68  - "Sender analysis"
69id: "f8dfff1a-8f3e-5301-b2d7-b68a78ad34db"
to-top