Skip to content

Create brand_impersonation_aquent.yml #3326

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 11 commits into from
Oct 9, 2025
Merged

Create brand_impersonation_aquent.yml #3326

Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
da9d936
Create brand_impersonation_aquent.yml
markmsublime Sep 30, 2025
89f6f77
Update brand_impersonation_aquent.yml
markmsublime Sep 30, 2025
aebbc93
Auto add rule ID
Sep 30, 2025
4d31db5
Update brand_impersonation_aquent.yml
markmsublime Sep 30, 2025
bc716c0
Update brand_impersonation_aquent.yml
markmsublime Oct 1, 2025
bbbbc54
Update brand_impersonation_aquent.yml
markmsublime Oct 3, 2025
c531568
Update brand_impersonation_aquent.yml
markmsublime Oct 6, 2025
3f32d86
Update brand_impersonation_aquent.yml
markmsublime Oct 6, 2025
6ec22c7
Update brand_impersonation_aquent.yml
markmsublime Oct 7, 2025
ab6e9de
Update brand_impersonation_aquent.yml
markmsublime Oct 7, 2025
3b9410c
Update brand_impersonation_aquent.yml
markmsublime Oct 7, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
67 changes: 67 additions & 0 deletions detection-rules/brand_impersonation_aquent.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
name: "Brand impersonation: Aquent"
description: "Detects messages impersonating Aquent, a staffing and talent solutions company, by analyzing sender display names and body content for Aquent branding and office addresses from unauthorized domains."
type: "rule"
severity: "medium"
source: |
type.inbound
and (
regex.icontains(sender.display_name, 'Aquent\b')
// look for Aquent address from footer, or current address being used by actors
or (
strings.icontains(body.current_thread.text, 'Aquent')
and (
(
strings.icontains(body.current_thread.text, '2884 Sand Hill Road')
and strings.icontains(body.current_thread.text, 'Menlo Park, CA 94025')
)
or (
strings.icontains(body.current_thread.text, '501 Boylston St')
and strings.icontains(body.current_thread.text, 'Boston, MA 02116')
)
)
)
)
and not (
sender.email.domain.root_domain in $org_domains
or (
sender.email.domain.root_domain in (
"aquent.com",
"dice.com",
"roberthalf.com",
"roberthalf.be",
"service-now.com",
"protiviti.com",
"atlassian.net",
"workday.com",
"myworkday.com",
"rapdev.io",
"immersivelabs.com",
"outsidegc.com"
)
and headers.auth_summary.dmarc.pass
)
)
// not a forward or reply
and (headers.in_reply_to is null or length(headers.references) == 0)
and not any(ml.nlu_classifier(body.current_thread.text).topics,
.name == "Advertising and Promotions" and .confidence != "low"
)
// negate instances where proofpoint sends a review of a reported message via analyzer
and not (
sender.email.email == "analyzer@analyzer.securityeducation.com"
and any(headers.domains, .root_domain == "pphosted.com")
and headers.auth_summary.spf.pass
and headers.auth_summary.dmarc.pass
)

attack_types:
- "BEC/Fraud"
- "Credential Phishing"
tactics_and_techniques:
- "Impersonation: Brand"
- "Social engineering"
detection_methods:
- "Content analysis"
- "Header analysis"
- "Sender analysis"
id: "5074459c-d48e-5ff6-9a08-3da38c2963d9"
Loading