← Back to Explore
sublimemediumRule
Brand impersonation: Aquent
Detects messages impersonating Aquent, a staffing and talent solutions company, by analyzing sender display names and body content for Aquent branding and office addresses from unauthorized domains.
Detection Query
type.inbound
and (
regex.icontains(sender.display_name, 'Aquent\b')
// look for Aquent address from footer, or current address being used by actors
or (
strings.icontains(body.current_thread.text, 'Aquent')
and (
(
strings.icontains(body.current_thread.text, '2884 Sand Hill Road')
and strings.icontains(body.current_thread.text, 'Menlo Park, CA 94025')
)
or (
strings.icontains(body.current_thread.text, '501 Boylston St')
and strings.icontains(body.current_thread.text, 'Boston, MA 02116')
)
)
)
)
and not (
sender.email.domain.root_domain in $org_domains
or (
sender.email.domain.root_domain in (
"aquent.com",
"dice.com",
"roberthalf.com",
"roberthalf.be",
"service-now.com",
"protiviti.com",
"atlassian.net",
"workday.com",
"myworkday.com",
"rapdev.io",
"immersivelabs.com",
"outsidegc.com"
)
and headers.auth_summary.dmarc.pass
)
)
// not a forward or reply
and (headers.in_reply_to is null or length(headers.references) == 0)
and not any(ml.nlu_classifier(body.current_thread.text).topics,
.name == "Advertising and Promotions" and .confidence != "low"
)
// negate instances where proofpoint sends a review of a reported message via analyzer
and not (
sender.email.email == "analyzer@analyzer.securityeducation.com"
and any(headers.domains, .root_domain == "pphosted.com")
and headers.auth_summary.spf.pass
and headers.auth_summary.dmarc.pass
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Brand impersonation: Aquent"
description: "Detects messages impersonating Aquent, a staffing and talent solutions company, by analyzing sender display names and body content for Aquent branding and office addresses from unauthorized domains."
type: "rule"
severity: "medium"
source: |
type.inbound
and (
regex.icontains(sender.display_name, 'Aquent\b')
// look for Aquent address from footer, or current address being used by actors
or (
strings.icontains(body.current_thread.text, 'Aquent')
and (
(
strings.icontains(body.current_thread.text, '2884 Sand Hill Road')
and strings.icontains(body.current_thread.text, 'Menlo Park, CA 94025')
)
or (
strings.icontains(body.current_thread.text, '501 Boylston St')
and strings.icontains(body.current_thread.text, 'Boston, MA 02116')
)
)
)
)
and not (
sender.email.domain.root_domain in $org_domains
or (
sender.email.domain.root_domain in (
"aquent.com",
"dice.com",
"roberthalf.com",
"roberthalf.be",
"service-now.com",
"protiviti.com",
"atlassian.net",
"workday.com",
"myworkday.com",
"rapdev.io",
"immersivelabs.com",
"outsidegc.com"
)
and headers.auth_summary.dmarc.pass
)
)
// not a forward or reply
and (headers.in_reply_to is null or length(headers.references) == 0)
and not any(ml.nlu_classifier(body.current_thread.text).topics,
.name == "Advertising and Promotions" and .confidence != "low"
)
// negate instances where proofpoint sends a review of a reported message via analyzer
and not (
sender.email.email == "analyzer@analyzer.securityeducation.com"
and any(headers.domains, .root_domain == "pphosted.com")
and headers.auth_summary.spf.pass
and headers.auth_summary.dmarc.pass
)
attack_types:
- "BEC/Fraud"
- "Credential Phishing"
tactics_and_techniques:
- "Impersonation: Brand"
- "Social engineering"
detection_methods:
- "Content analysis"
- "Header analysis"
- "Sender analysis"
id: "5074459c-d48e-5ff6-9a08-3da38c2963d9"