← Back to Explore
sublimehighRule
Brand impersonation: Proofpoint secure messaging without legitimate indicators
Detects messages impersonating Proofpoint secure messaging services that contain Proofpoint branding text but lack legitimate Proofpoint secure sharing URIs or authentic attachment indicators, suggesting fraudulent use of the brand.
Detection Query
type.inbound
and (
// matching proofpoint secure messaging
strings.contains(body.current_thread.text,
"Secured by Proofpoint Encryption,"
)
or regex.icontains(body.current_thread.text,
('Copyright © 2009-202\d Proofpoint, Inc.')
)
)
and length(body.current_thread.links) >= 1
// pfpt secure share uri
and not (
any(body.links,
// negate the actual dest of the legit "click here" link
.href_url.path == "/formpostdir/securereader"
// negate where the link domain is mimecast and check LA for the pfpt URI
or (
.href_url.domain.root_domain == "mimecastprotect.com"
and (
ml.link_analysis(., mode="aggressive").effective_url.path == "/formpostdir/securereader"
or any(ml.link_analysis(., mode="aggressive").redirect_history,
.path == "/formpostdir/securereader"
)
)
)
or (
.href_url.domain.root_domain == "mimecastprotect.com"
and .display_text =~ "Click here"
and strings.parse_domain(.href_url.query_params_decoded["domain"][0]).root_domain == sender.email.domain.root_domain
)
)
)
// negate actual SecureMessageAtt.html links that ave been quarantined by mimecast
and not any(attachments,
// pfpt attachment file
.file_name == "SecureMessageAtt.html"
// mimecast quarantine details
or (
.content_type == "message/rfc822"
and length(file.parse_eml(.).body.links) == 1
and any(file.parse_eml(.).body.links,
.display_text == "download it"
and .href_url.domain.root_domain == "mimecast.com"
)
and strings.ends_with(file.parse_eml(.).headers.message_id,
"@localhost>"
)
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Brand impersonation: Proofpoint secure messaging without legitimate indicators"
description: "Detects messages impersonating Proofpoint secure messaging services that contain Proofpoint branding text but lack legitimate Proofpoint secure sharing URIs or authentic attachment indicators, suggesting fraudulent use of the brand."
type: "rule"
severity: "high"
source: |
type.inbound
and (
// matching proofpoint secure messaging
strings.contains(body.current_thread.text,
"Secured by Proofpoint Encryption,"
)
or regex.icontains(body.current_thread.text,
('Copyright © 2009-202\d Proofpoint, Inc.')
)
)
and length(body.current_thread.links) >= 1
// pfpt secure share uri
and not (
any(body.links,
// negate the actual dest of the legit "click here" link
.href_url.path == "/formpostdir/securereader"
// negate where the link domain is mimecast and check LA for the pfpt URI
or (
.href_url.domain.root_domain == "mimecastprotect.com"
and (
ml.link_analysis(., mode="aggressive").effective_url.path == "/formpostdir/securereader"
or any(ml.link_analysis(., mode="aggressive").redirect_history,
.path == "/formpostdir/securereader"
)
)
)
or (
.href_url.domain.root_domain == "mimecastprotect.com"
and .display_text =~ "Click here"
and strings.parse_domain(.href_url.query_params_decoded["domain"][0]).root_domain == sender.email.domain.root_domain
)
)
)
// negate actual SecureMessageAtt.html links that ave been quarantined by mimecast
and not any(attachments,
// pfpt attachment file
.file_name == "SecureMessageAtt.html"
// mimecast quarantine details
or (
.content_type == "message/rfc822"
and length(file.parse_eml(.).body.links) == 1
and any(file.parse_eml(.).body.links,
.display_text == "download it"
and .href_url.domain.root_domain == "mimecast.com"
)
and strings.ends_with(file.parse_eml(.).headers.message_id,
"@localhost>"
)
)
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Impersonation: Brand"
- "Social engineering"
detection_methods:
- "Content analysis"
- "File analysis"
- "Header analysis"
- "URL analysis"
id: "84b72d02-f80c-56d0-9b42-c5f92750ec11"