EXPLORE
Sign In
← Back to Explore
sublimemediumRule

Brand Impersonation: Procore

Detects messages containing Procore branding language that do not originate from legitimate Procore domains. This has been observed in phishing campaigns.

MITRE ATT&CK

T1566.002T1534T1656T1566T1566.001T1598T1598.003
initial-access

Detection Query

type.inbound
and (
  strings.ilike(body.current_thread.text, "*powered by procore*")
  or 2 of (
    strings.icontains(body.current_thread.text, 'Procore'),
    strings.icontains(body.current_thread.text, '6309 Carpinteria Ave'),
    strings.icontains(body.current_thread.text, 'Carpinteria, CA 93013')
  )
)
and not (
  sender.email.domain.root_domain in ("procore.com", "procoretech.com")
  and coalesce(headers.auth_summary.dmarc.pass, false)
)

// negating legit replies/forwards
and not (
  (
    strings.istarts_with(subject.subject, "RE:")
    or strings.istarts_with(subject.subject, "FW:")
    or strings.istarts_with(subject.subject, "FWD:")
    or regex.imatch(subject.subject,
                    '(\[[^\]]+\]\s?){0,3}(re|fwd?|automat.*)\s?:.*'
    )
    or strings.istarts_with(subject.subject, "Réponse automatique")
  )
  and (
    length(headers.references) > 0
    and any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
  )
)
// negate bounce backs
and not (
  strings.like(sender.email.local_part,
               "*postmaster*",
               "*mailer-daemon*",
               "*administrator*"
  )
  and any(attachments,
          .content_type in (
            "message/rfc822",
            "message/delivery-status",
            "text/calendar"
          )
  )
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Brand Impersonation: Procore"
description: "Detects messages containing Procore branding language that do not originate from legitimate Procore domains. This has been observed in phishing campaigns."
type: "rule"
severity: "medium"
source: |
  type.inbound
  and (
    strings.ilike(body.current_thread.text, "*powered by procore*")
    or 2 of (
      strings.icontains(body.current_thread.text, 'Procore'),
      strings.icontains(body.current_thread.text, '6309 Carpinteria Ave'),
      strings.icontains(body.current_thread.text, 'Carpinteria, CA 93013')
    )
  )
  and not (
    sender.email.domain.root_domain in ("procore.com", "procoretech.com")
    and coalesce(headers.auth_summary.dmarc.pass, false)
  )
  
  // negating legit replies/forwards
  and not (
    (
      strings.istarts_with(subject.subject, "RE:")
      or strings.istarts_with(subject.subject, "FW:")
      or strings.istarts_with(subject.subject, "FWD:")
      or regex.imatch(subject.subject,
                      '(\[[^\]]+\]\s?){0,3}(re|fwd?|automat.*)\s?:.*'
      )
      or strings.istarts_with(subject.subject, "Réponse automatique")
    )
    and (
      length(headers.references) > 0
      and any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
    )
  )
  // negate bounce backs
  and not (
    strings.like(sender.email.local_part,
                 "*postmaster*",
                 "*mailer-daemon*",
                 "*administrator*"
    )
    and any(attachments,
            .content_type in (
              "message/rfc822",
              "message/delivery-status",
              "text/calendar"
            )
    )
  )

attack_types:
  - "BEC/Fraud"
  - "Credential Phishing"
tactics_and_techniques:
  - "Impersonation: Brand"
  - "Social engineering"
detection_methods:
  - "Content analysis"
  - "Sender analysis"
id: "74baa1e5-f1cd-5d15-b2f2-e863baf4a20f"