EXPLORE
Sign In
← Back to Explore
sublimemediumRule

Brand impersonation: McAfee

Detects messages impersonating McAfee through display name, subject line, body content, or NLU entity detection when the sender is not from verified McAfee domains or other high-trust domains with valid DMARC authentication.

MITRE ATT&CK

T1566T1566.001T1566.002T1598T1534T1656T1566.003T1598.003
initial-access

Detection Query

type.inbound
and (
  regex.icontains(body.current_thread.text,
                  'McAfee.{0,30}(?:Defense|Protection)'
  )
  or regex.icontains(subject.base, 'McAfee.{0,30}(?:Defense|Protection)')
  or regex.icontains(sender.display_name,
                     '^[\s[:punct:]]*mc\s*a+f+ee+(?:$|[^,])'
  )
  or (
    any(ml.nlu_classifier(body.current_thread.text).entities,
        .name in ("org", "sender") and strings.icontains(.text, 'mcafee')
    )
    and length(filter(ml.nlu_classifier(body.current_thread.text).entities,
                      .name == "urgency"
               )
    ) >= 2
  )
)
and not any(ml.nlu_classifier(body.current_thread.text).topics,
            .name in ("Newsletters and Digests", "Advertising and Promotions")
            and .confidence != "low"
)
and not (
  sender.email.domain.root_domain in ('mcafee.com', 'mcafeesecure.com')
  and headers.auth_summary.dmarc.pass
)
and not (
  sender.email.domain.root_domain in $high_trust_sender_root_domains
  and headers.auth_summary.dmarc.pass
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Brand impersonation: McAfee"
description: "Detects messages impersonating McAfee through display name, subject line, body content, or NLU entity detection when the sender is not from verified McAfee domains or other high-trust domains with valid DMARC authentication."
type: "rule"
severity: "medium"
source: |
  type.inbound
  and (
    regex.icontains(body.current_thread.text,
                    'McAfee.{0,30}(?:Defense|Protection)'
    )
    or regex.icontains(subject.base, 'McAfee.{0,30}(?:Defense|Protection)')
    or regex.icontains(sender.display_name,
                       '^[\s[:punct:]]*mc\s*a+f+ee+(?:$|[^,])'
    )
    or (
      any(ml.nlu_classifier(body.current_thread.text).entities,
          .name in ("org", "sender") and strings.icontains(.text, 'mcafee')
      )
      and length(filter(ml.nlu_classifier(body.current_thread.text).entities,
                        .name == "urgency"
                 )
      ) >= 2
    )
  )
  and not any(ml.nlu_classifier(body.current_thread.text).topics,
              .name in ("Newsletters and Digests", "Advertising and Promotions")
              and .confidence != "low"
  )
  and not (
    sender.email.domain.root_domain in ('mcafee.com', 'mcafeesecure.com')
    and headers.auth_summary.dmarc.pass
  )
  and not (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and headers.auth_summary.dmarc.pass
  )

attack_types:
  - "Credential Phishing"
  - "BEC/Fraud"
  - "Callback Phishing"
tactics_and_techniques:
  - "Impersonation: Brand"
  - "Social engineering"
detection_methods:
  - "Content analysis"
  - "Header analysis"
  - "Natural Language Understanding"
  - "Sender analysis"
id: "6b593b92-b4f8-5a38-a2ba-216432df589c"