EXPLORE
← Back to Explore
sublimehighRule

Brand impersonation: Proofpoint secure messaging without legitimate indicators

Detects messages impersonating Proofpoint secure messaging services that contain Proofpoint branding text but lack legitimate Proofpoint secure sharing URIs or authentic attachment indicators, suggesting fraudulent use of the brand.

MITRE ATT&CK

initial-access

Detection Query

type.inbound
and (
  // matching proofpoint secure messaging
  (
    strings.contains(body.current_thread.text,
                     "Secured by Proofpoint Encryption,"
    )
    and not strings.iends_with(body.current_thread.text,
                               "Secured by Proofpoint Encryption, Copyright © 2009-2016 Proofpoint, Inc. All rights reserved."
    )
  )
  or regex.icontains(body.current_thread.text,
                     ('Copyright © 2009-202\d Proofpoint, Inc.')
  )
  or strings.icontains(body.html.raw, '<h1>Proofpoint |')
  // body.html contains a suspicious title impersonating proofpoint
  or (
    any(html.xpath(body.html, '//title').nodes,
        strings.icontains(.raw, "secure access")
        and strings.icontains(.raw, 'Proofpoint')
    )
  )
  // no links but has attachments which impersonate proofpoint
  or any(attachments,
         strings.icontains(file.parse_text(.).text, '<h1>Proofpoint |')
         or any(html.xpath(file.parse_html(.), '//title').nodes,
                strings.icontains(.raw, "secure access")
                and strings.icontains(.raw, 'Proofpoint')
         )
  )
)
and (
  // contains a link
  length(body.current_thread.links) >= 1
  // or an attachment (legit attachments negated in stanza below)
  or length(attachments) > 0
)

// pfpt secure share uri
and not (
  any(body.links,
      // negate the actual dest of the legit "click here" link
      .href_url.path == "/formpostdir/securereader"
      // negate where the link domain is mimecast and check LA for the pfpt URI
      or (
        .href_url.domain.root_domain == "mimecastprotect.com"
        and (
          ml.link_analysis(., mode="aggressive").effective_url.path == "/formpostdir/securereader"
          or any(ml.link_analysis(., mode="aggressive").redirect_history,
                 .path == "/formpostdir/securereader"
          )
        )
      )
      or (
        .href_url.domain.root_domain == "mimecastprotect.com"
        and .display_text =~ "Click here"
        and strings.parse_domain(.href_url.query_params_decoded["domain"][0]).root_domain == sender.email.domain.root_domain
      )
  )
)
// negate actual SecureMessageAtt.html links that ave been quarantined by mimecast
and not any(attachments,
            // pfpt attachment file
            .file_name == "SecureMessageAtt.html"
            // mimecast quarantine details
            or (
              .content_type == "message/rfc822"
              and length(file.parse_eml(.).body.links) == 1
              and any(file.parse_eml(.).body.links,
                      .display_text == "download it"
                      and .href_url.domain.root_domain == "mimecast.com"
              )
              and strings.ends_with(file.parse_eml(.).headers.message_id,
                                    "@localhost>"
              )
            )
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Brand impersonation: Proofpoint secure messaging without legitimate indicators"
description: "Detects messages impersonating Proofpoint secure messaging services that contain Proofpoint branding text but lack legitimate Proofpoint secure sharing URIs or authentic attachment indicators, suggesting fraudulent use of the brand."
type: "rule"
severity: "high"
source: |
  type.inbound
  and (
    // matching proofpoint secure messaging
    (
      strings.contains(body.current_thread.text,
                       "Secured by Proofpoint Encryption,"
      )
      and not strings.iends_with(body.current_thread.text,
                                 "Secured by Proofpoint Encryption, Copyright © 2009-2016 Proofpoint, Inc. All rights reserved."
      )
    )
    or regex.icontains(body.current_thread.text,
                       ('Copyright © 2009-202\d Proofpoint, Inc.')
    )
    or strings.icontains(body.html.raw, '<h1>Proofpoint |')
    // body.html contains a suspicious title impersonating proofpoint
    or (
      any(html.xpath(body.html, '//title').nodes,
          strings.icontains(.raw, "secure access")
          and strings.icontains(.raw, 'Proofpoint')
      )
    )
    // no links but has attachments which impersonate proofpoint
    or any(attachments,
           strings.icontains(file.parse_text(.).text, '<h1>Proofpoint |')
           or any(html.xpath(file.parse_html(.), '//title').nodes,
                  strings.icontains(.raw, "secure access")
                  and strings.icontains(.raw, 'Proofpoint')
           )
    )
  )
  and (
    // contains a link
    length(body.current_thread.links) >= 1
    // or an attachment (legit attachments negated in stanza below)
    or length(attachments) > 0
  )
  
  // pfpt secure share uri
  and not (
    any(body.links,
        // negate the actual dest of the legit "click here" link
        .href_url.path == "/formpostdir/securereader"
        // negate where the link domain is mimecast and check LA for the pfpt URI
        or (
          .href_url.domain.root_domain == "mimecastprotect.com"
          and (
            ml.link_analysis(., mode="aggressive").effective_url.path == "/formpostdir/securereader"
            or any(ml.link_analysis(., mode="aggressive").redirect_history,
                   .path == "/formpostdir/securereader"
            )
          )
        )
        or (
          .href_url.domain.root_domain == "mimecastprotect.com"
          and .display_text =~ "Click here"
          and strings.parse_domain(.href_url.query_params_decoded["domain"][0]).root_domain == sender.email.domain.root_domain
        )
    )
  )
  // negate actual SecureMessageAtt.html links that ave been quarantined by mimecast
  and not any(attachments,
              // pfpt attachment file
              .file_name == "SecureMessageAtt.html"
              // mimecast quarantine details
              or (
                .content_type == "message/rfc822"
                and length(file.parse_eml(.).body.links) == 1
                and any(file.parse_eml(.).body.links,
                        .display_text == "download it"
                        and .href_url.domain.root_domain == "mimecast.com"
                )
                and strings.ends_with(file.parse_eml(.).headers.message_id,
                                      "@localhost>"
                )
              )
  )
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Impersonation: Brand"
  - "Social engineering"
detection_methods:
  - "Content analysis"
  - "File analysis"
  - "Header analysis"
  - "URL analysis"
id: "84b72d02-f80c-56d0-9b42-c5f92750ec11"