From da9d9365ae00a2aa7108327e12d1d5e1570e6131 Mon Sep 17 00:00:00 2001 From: Mark Morris Date: Tue, 30 Sep 2025 16:35:08 -0400 Subject: [PATCH 01/11] Create brand_impersonation_aquent.yml --- .../brand_impersonation_aquent.yml | 46 +++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 detection-rules/brand_impersonation_aquent.yml diff --git a/detection-rules/brand_impersonation_aquent.yml b/detection-rules/brand_impersonation_aquent.yml new file mode 100644 index 00000000000..b5a98de5e47 --- /dev/null +++ b/detection-rules/brand_impersonation_aquent.yml @@ -0,0 +1,46 @@ +name: "Brand impersonation: Aquent" +description: "Detects messages impersonating Aquent, a staffing and talent solutions company, by analyzing sender display names and body content for Aquent branding and office addresses from unauthorized domains." +type: "rule" +severity: "medium" +source: | + type.inbound + and ( + strings.icontains(sender.display_name, 'Aquent') + // look for Aquent address from footer, or current address being used by actors + or 3 of ( + strings.icontains(sender.display_name, "Aquent"), + strings.icontains(body.current_thread.text, 'Aquent'), + strings.icontains(body.current_thread.text, '2884 Sand Hill Road'), + strings.icontains(body.current_thread.text, 'Menlo Park, CA 94025'), + strings.icontains(body.current_thread.text, '501 Boylston Street'), + strings.icontains(body.current_thread.text, 'Boston, MA 02116') + ) + ) + and not ( + sender.email.domain.root_domain in $org_domains + or ( + sender.email.domain.root_domain in ( + "aquent.com", + "dice.com", + "roberthalf.com", + "roberthalf.be", + "service-now.com", + "protiviti.com", + "atlassian.net", + "workday.com", + "myworkday.com" + ) + and headers.auth_summary.dmarc.pass + ) + ) + +attack_types: + - "BEC/Fraud" + - "Credential Phishing" +tactics_and_techniques: + - "Impersonation: Brand" + - "Social engineering" +detection_methods: + - "Content analysis" + - "Header analysis" + - "Sender analysis" From 89f6f7730b9c62ead4170a227bf3080807961448 Mon Sep 17 00:00:00 2001 From: Mark Morris Date: Tue, 30 Sep 2025 16:39:51 -0400 Subject: [PATCH 02/11] Update brand_impersonation_aquent.yml From aebbc93aed56ac591439120d72a87bbe28b140fd Mon Sep 17 00:00:00 2001 From: ID Generator Date: Tue, 30 Sep 2025 20:41:08 +0000 Subject: [PATCH 03/11] Auto add rule ID --- detection-rules/brand_impersonation_aquent.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/detection-rules/brand_impersonation_aquent.yml b/detection-rules/brand_impersonation_aquent.yml index b5a98de5e47..071a9c9f6ac 100644 --- a/detection-rules/brand_impersonation_aquent.yml +++ b/detection-rules/brand_impersonation_aquent.yml @@ -44,3 +44,4 @@ detection_methods: - "Content analysis" - "Header analysis" - "Sender analysis" +id: "5074459c-d48e-5ff6-9a08-3da38c2963d9" From 4d31db559a98883eede59b7e8189dbb164458008 Mon Sep 17 00:00:00 2001 From: Mark Morris Date: Tue, 30 Sep 2025 19:49:34 -0400 Subject: [PATCH 04/11] Update brand_impersonation_aquent.yml --- detection-rules/brand_impersonation_aquent.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/detection-rules/brand_impersonation_aquent.yml b/detection-rules/brand_impersonation_aquent.yml index 071a9c9f6ac..498275264e0 100644 --- a/detection-rules/brand_impersonation_aquent.yml +++ b/detection-rules/brand_impersonation_aquent.yml @@ -7,8 +7,7 @@ source: | and ( strings.icontains(sender.display_name, 'Aquent') // look for Aquent address from footer, or current address being used by actors - or 3 of ( - strings.icontains(sender.display_name, "Aquent"), + or 2 of ( strings.icontains(body.current_thread.text, 'Aquent'), strings.icontains(body.current_thread.text, '2884 Sand Hill Road'), strings.icontains(body.current_thread.text, 'Menlo Park, CA 94025'), From bc716c045028e6f7b1d2dc6e0334986c07857f3d Mon Sep 17 00:00:00 2001 From: Mark Morris Date: Wed, 1 Oct 2025 12:58:45 -0400 Subject: [PATCH 05/11] Update brand_impersonation_aquent.yml --- detection-rules/brand_impersonation_aquent.yml | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/detection-rules/brand_impersonation_aquent.yml b/detection-rules/brand_impersonation_aquent.yml index 498275264e0..1976568048f 100644 --- a/detection-rules/brand_impersonation_aquent.yml +++ b/detection-rules/brand_impersonation_aquent.yml @@ -27,11 +27,24 @@ source: | "protiviti.com", "atlassian.net", "workday.com", - "myworkday.com" + "myworkday.com", + "rapdev.io", + "immersivelabs.com" ) and headers.auth_summary.dmarc.pass ) ) + // not a forward or reply + and (headers.in_reply_to is null or length(headers.references) == 0) + and not any(ml.nlu_classifier(body.current_thread.text).topics, + .name == "Advertising and Promotions" and .confidence != "low" + ) + // negate instances where proofpoint sends a review of a reported message via analyzer + and not ( + any(headers.domains, .root_domain == "pphosted.com") + and headers.auth_summary.spf.pass + and headers.auth_summary.dmarc.pass + ) attack_types: - "BEC/Fraud" From bbbbc54ce07163069dc7464496b7c4ebca2452d3 Mon Sep 17 00:00:00 2001 From: Mark Morris Date: Fri, 3 Oct 2025 12:22:19 -0400 Subject: [PATCH 06/11] Update brand_impersonation_aquent.yml --- detection-rules/brand_impersonation_aquent.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/detection-rules/brand_impersonation_aquent.yml b/detection-rules/brand_impersonation_aquent.yml index 1976568048f..636410ba1a6 100644 --- a/detection-rules/brand_impersonation_aquent.yml +++ b/detection-rules/brand_impersonation_aquent.yml @@ -5,7 +5,7 @@ severity: "medium" source: | type.inbound and ( - strings.icontains(sender.display_name, 'Aquent') + strings.icontains(sender.display_name, 'Aquent\b') // look for Aquent address from footer, or current address being used by actors or 2 of ( strings.icontains(body.current_thread.text, 'Aquent'), @@ -29,7 +29,8 @@ source: | "workday.com", "myworkday.com", "rapdev.io", - "immersivelabs.com" + "immersivelabs.com", + "outsidegc.com" ) and headers.auth_summary.dmarc.pass ) From c531568fcef486237aa0c779635db8b6c336925e Mon Sep 17 00:00:00 2001 From: Mark Morris Date: Mon, 6 Oct 2025 09:28:15 -0400 Subject: [PATCH 07/11] Update brand_impersonation_aquent.yml --- detection-rules/brand_impersonation_aquent.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detection-rules/brand_impersonation_aquent.yml b/detection-rules/brand_impersonation_aquent.yml index 636410ba1a6..b350d171a6d 100644 --- a/detection-rules/brand_impersonation_aquent.yml +++ b/detection-rules/brand_impersonation_aquent.yml @@ -7,7 +7,7 @@ source: | and ( strings.icontains(sender.display_name, 'Aquent\b') // look for Aquent address from footer, or current address being used by actors - or 2 of ( + or 3 of ( strings.icontains(body.current_thread.text, 'Aquent'), strings.icontains(body.current_thread.text, '2884 Sand Hill Road'), strings.icontains(body.current_thread.text, 'Menlo Park, CA 94025'), From 3f32d868a9f803c2bf70d56c0c1d86633f56751b Mon Sep 17 00:00:00 2001 From: Mark Morris Date: Mon, 6 Oct 2025 11:50:16 -0400 Subject: [PATCH 08/11] Update brand_impersonation_aquent.yml --- detection-rules/brand_impersonation_aquent.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detection-rules/brand_impersonation_aquent.yml b/detection-rules/brand_impersonation_aquent.yml index b350d171a6d..a079e1d1e77 100644 --- a/detection-rules/brand_impersonation_aquent.yml +++ b/detection-rules/brand_impersonation_aquent.yml @@ -11,7 +11,7 @@ source: | strings.icontains(body.current_thread.text, 'Aquent'), strings.icontains(body.current_thread.text, '2884 Sand Hill Road'), strings.icontains(body.current_thread.text, 'Menlo Park, CA 94025'), - strings.icontains(body.current_thread.text, '501 Boylston Street'), + strings.icontains(body.current_thread.text, '501 Boylston St'), strings.icontains(body.current_thread.text, 'Boston, MA 02116') ) ) From 6ec22c77624c159c4628afe3320eb8eed20975e9 Mon Sep 17 00:00:00 2001 From: Mark Morris Date: Tue, 7 Oct 2025 14:33:07 -0400 Subject: [PATCH 09/11] Update brand_impersonation_aquent.yml --- detection-rules/brand_impersonation_aquent.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detection-rules/brand_impersonation_aquent.yml b/detection-rules/brand_impersonation_aquent.yml index a079e1d1e77..1ccb5e702b6 100644 --- a/detection-rules/brand_impersonation_aquent.yml +++ b/detection-rules/brand_impersonation_aquent.yml @@ -5,7 +5,7 @@ severity: "medium" source: | type.inbound and ( - strings.icontains(sender.display_name, 'Aquent\b') + regex.icontains(sender.display_name, 'Aquent\b') // look for Aquent address from footer, or current address being used by actors or 3 of ( strings.icontains(body.current_thread.text, 'Aquent'), From ab6e9dea755532ea3990e70d5e3bec899584b335 Mon Sep 17 00:00:00 2001 From: Mark Morris Date: Tue, 7 Oct 2025 14:42:40 -0400 Subject: [PATCH 10/11] Update brand_impersonation_aquent.yml --- detection-rules/brand_impersonation_aquent.yml | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/detection-rules/brand_impersonation_aquent.yml b/detection-rules/brand_impersonation_aquent.yml index 1ccb5e702b6..b37f6964da4 100644 --- a/detection-rules/brand_impersonation_aquent.yml +++ b/detection-rules/brand_impersonation_aquent.yml @@ -7,12 +7,18 @@ source: | and ( regex.icontains(sender.display_name, 'Aquent\b') // look for Aquent address from footer, or current address being used by actors - or 3 of ( - strings.icontains(body.current_thread.text, 'Aquent'), - strings.icontains(body.current_thread.text, '2884 Sand Hill Road'), - strings.icontains(body.current_thread.text, 'Menlo Park, CA 94025'), - strings.icontains(body.current_thread.text, '501 Boylston St'), - strings.icontains(body.current_thread.text, 'Boston, MA 02116') + or ( + strings.icontains(body.current_thread.text, 'Aquent') + and ( + ( + strings.icontains(body.current_thread.text, '2884 Sand Hill Road') + and strings.icontains(body.current_thread.text, 'Menlo Park, CA 94025') + ) + or ( + strings.icontains(body.current_thread.text, '501 Boylston St') + and strings.icontains(body.current_thread.text, 'Boston, MA 02116') + ) + ) ) ) and not ( From 3b9410c37a029331c4a1526b1342d4fe51bafd54 Mon Sep 17 00:00:00 2001 From: Mark Morris Date: Tue, 7 Oct 2025 18:28:09 -0400 Subject: [PATCH 11/11] Update brand_impersonation_aquent.yml --- detection-rules/brand_impersonation_aquent.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/detection-rules/brand_impersonation_aquent.yml b/detection-rules/brand_impersonation_aquent.yml index b37f6964da4..f9483cc6e78 100644 --- a/detection-rules/brand_impersonation_aquent.yml +++ b/detection-rules/brand_impersonation_aquent.yml @@ -48,7 +48,8 @@ source: | ) // negate instances where proofpoint sends a review of a reported message via analyzer and not ( - any(headers.domains, .root_domain == "pphosted.com") + sender.email.email == "analyzer@analyzer.securityeducation.com" + and any(headers.domains, .root_domain == "pphosted.com") and headers.auth_summary.spf.pass and headers.auth_summary.dmarc.pass )