Brand impersonation: United Healthcare

calendar Dec 2, 2025  ·
Share on: linkedin copy

Detects messages impersonating United Healthcare (UHC) by analyzing display names that contain variations of 'United Healthcare' or 'UHC', including those with character substitutions. The rule excludes legitimate messages from verified UHC domains that pass DMARC authentication and handles high-trust sender domains appropriately.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: United Healthcare"
 2description: "Detects messages impersonating United Healthcare (UHC) by analyzing display names that contain variations of 'United Healthcare' or 'UHC', including those with character substitutions. The rule excludes legitimate messages from verified UHC domains that pass DMARC authentication and handles high-trust sender domains appropriately."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    // display name contains UHC
 9    (
10      strings.ilike(strings.replace_confusables(sender.display_name),
11                    '*united healthcare*'
12      )
13      or strings.ilike(strings.replace_confusables(sender.display_name), 'UHC*')
14      or regex.icontains(sender.display_name, 'united ?health ?care')
15    )
16    // levenshtein distance similar to UHC
17    or strings.ilevenshtein(strings.replace_confusables(sender.display_name),
18                            'united healthcare'
19    ) <= 1
20    or (
21      regex.icontains(body.current_thread.text, 'united ?health ?care')
22      and (
23        regex.icontains(body.current_thread.text, 'quick .{0,10}survey')
24        // Free benefits/items lure commonly used in UHC impersonation
25        or regex.icontains(body.current_thread.text,
26          'dental (benefits?|coverage).{0,50}(free|eligible|no.{0,10}cost)'
27        )
28        or regex.icontains(body.current_thread.text,
29          'free.{0,30}(toothbrush|dental|benefit)'
30        )
31      )
32    )
33    // Brand name in sender local part from non-UHC domain
34    or (
35      strings.icontains(sender.email.local_part, "unitedhealthcare")
36      and sender.email.domain.root_domain not in (
37        "uhc.com",
38        "unitedhealthcare.com",
39        "uhcmedicaresolutions.com",
40        "unitedhealthcareupdate.com",
41        "yourhealth-wellnessteam.com",
42        "uhc-customer.com",
43        "leavesource.com"
44      )
45    )
46  )
47  // and the sender is not in org_domains or from UHC domains and passes auth
48  and not (
49    sender.email.domain.root_domain in $org_domains
50    or (
51      (
52        sender.email.domain.root_domain in (
53          "uhc.com",
54          "unitedhealthcare.com",
55          "uhcmedicaresolutions.com",
56          "unitedhealthcareupdate.com",
57          "yourhealth-wellnessteam.com",
58          "uhc-customer.com",
59          "leavesource.com"
60        )
61        or sender.display_name in (
62          "UHCOM Faculty Affairs",
63          "UHC Construction Services"
64        )
65      )
66      and headers.auth_summary.dmarc.pass
67    )
68  )
69  // negate UHC job related posting
70  and not any(ml.nlu_classifier(body.current_thread.text).topics,
71              .name == "Professional and Career Development"
72              and .confidence == "high"
73  )
74  // and the sender is not from high trust sender root domains
75  and (
76    (
77      sender.email.domain.root_domain in $high_trust_sender_root_domains
78      and not headers.auth_summary.dmarc.pass
79    )
80    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
81  )  
82
83attack_types:
84  - "Credential Phishing"
85tactics_and_techniques:
86  - "Impersonation: Brand"
87  - "Social engineering"
88detection_methods:
89  - "Header analysis"
90  - "Sender analysis"
91id: "f8dfff1a-8f3e-5301-b2d7-b68a78ad34db"
to-top