← Back to Explore
sublimemediumRule
Brand impersonation: Purdue ePlanroom with suspicious links
Detects messages impersonating Purdue ePlanroom with links that either not from the legitimate reprographix.com domain or contain suspicious credential theft indicators.
Detection Query
type.inbound
and strings.icontains(body.current_thread.text, "Purdue ePlanroom")
and (
any(filter(body.links, strings.contains(.display_text, "Review This Project")),
.href_url.domain.root_domain != "reprographix.com"
)
or any(body.links, ml.link_analysis(.).credphish.disposition == "phishing")
)
and not (
sender.email.domain.root_domain == "reprographix.com"
and headers.auth_summary.dmarc.pass
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Brand impersonation: Purdue ePlanroom with suspicious links"
description: "Detects messages impersonating Purdue ePlanroom with links that either not from the legitimate reprographix.com domain or contain suspicious credential theft indicators."
type: "rule"
severity: "medium"
source: |
type.inbound
and strings.icontains(body.current_thread.text, "Purdue ePlanroom")
and (
any(filter(body.links, strings.contains(.display_text, "Review This Project")),
.href_url.domain.root_domain != "reprographix.com"
)
or any(body.links, ml.link_analysis(.).credphish.disposition == "phishing")
)
and not (
sender.email.domain.root_domain == "reprographix.com"
and headers.auth_summary.dmarc.pass
)
attack_types:
- "Credential Phishing"
- "BEC/Fraud"
tactics_and_techniques:
- "Impersonation: Brand"
- "Social engineering"
detection_methods:
- "Content analysis"
- "Sender analysis"
- "URL analysis"
id: "4db5b0b6-b2dd-5d39-9c74-baa6ddcf7e5b"