diff --git a/detection-rules/brand_impersonation_aquent.yml b/detection-rules/brand_impersonation_aquent.yml
new file mode 100644
index 00000000000..f9483cc6e78
--- /dev/null
+++ b/detection-rules/brand_impersonation_aquent.yml
@@ -0,0 +1,67 @@
+name: "Brand impersonation: Aquent"
+description: "Detects messages impersonating Aquent, a staffing and talent solutions company, by analyzing sender display names and body content for Aquent branding and office addresses from unauthorized domains."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and (
+    regex.icontains(sender.display_name, 'Aquent\b')
+    // look for Aquent address from footer, or current address being used by actors
+    or (
+      strings.icontains(body.current_thread.text, 'Aquent')
+      and (
+        (
+          strings.icontains(body.current_thread.text, '2884 Sand Hill Road')
+          and strings.icontains(body.current_thread.text, 'Menlo Park, CA 94025')
+        )
+        or (
+          strings.icontains(body.current_thread.text, '501 Boylston St')
+          and strings.icontains(body.current_thread.text, 'Boston, MA 02116')
+        )
+      )
+    )
+  )
+  and not (
+    sender.email.domain.root_domain in $org_domains
+    or (
+      sender.email.domain.root_domain in (
+        "aquent.com",
+        "dice.com",
+        "roberthalf.com",
+        "roberthalf.be",
+        "service-now.com",
+        "protiviti.com",
+        "atlassian.net",
+        "workday.com",
+        "myworkday.com",
+        "rapdev.io",
+        "immersivelabs.com",
+        "outsidegc.com"
+      )
+      and headers.auth_summary.dmarc.pass
+    )
+  )
+  // not a forward or reply
+  and (headers.in_reply_to is null or length(headers.references) == 0)
+  and not any(ml.nlu_classifier(body.current_thread.text).topics,
+              .name == "Advertising and Promotions" and .confidence != "low"
+  )
+  // negate instances where proofpoint sends a review of a reported message via analyzer 
+  and not (
+    sender.email.email == "analyzer@analyzer.securityeducation.com"
+    and any(headers.domains, .root_domain == "pphosted.com")
+    and headers.auth_summary.spf.pass
+    and headers.auth_summary.dmarc.pass
+  )
+
+attack_types:
+  - "BEC/Fraud"
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Impersonation: Brand"
+  - "Social engineering"
+detection_methods:
+  - "Content analysis"
+  - "Header analysis"
+  - "Sender analysis"
+id: "5074459c-d48e-5ff6-9a08-3da38c2963d9"