← Back to Explore
sublimemediumRule
Brand impersonation: State Farm
Detects messages impersonating State Farm insurance company through display name spoofing or similar variations, excluding legitimate communications from verified State Farm domains with proper DMARC authentication.
Detection Query
type.inbound
and (
regex.icontains(sender.display_name, 'state\s?farm')
and not (
strings.icontains(sender.display_name, "state farm")
and (
strings.icontains(sender.display_name, "center")
or strings.icontains(sender.display_name, "arena")
or strings.icontains(sender.display_name, "stadium")
or strings.icontains(sender.display_name, "hall")
or strings.icontains(sender.display_name, "classic")
or strings.icontains(sender.display_name, "showdown")
or strings.icontains(sender.display_name, "perks at work")
)
)
)
// and the sender is not in org_domains or from State Farm domains
and not (
(
sender.email.domain.root_domain in $org_domains
or sender.email.domain.root_domain in $high_trust_sender_root_domains
or sender.email.domain.root_domain in (
"statefarm.com",
"statefarminsurance.com",
"statefarm.ca",
"statefarmbank.com",
"sfauthentication.com",
"statefarmarena.com",
"statefarmservice.com",
"statefarmisthere.com",
"digitalpayouts.com", // State Farm use this domain for claim payouts
"aravo.com", // risk management company State Farm uses
"statefarmclaims.com",
"statefarmfeedback.com", // legit survey
"statefarmsurveys.com", // legit survey
"nationalesurvey.com"
)
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and not (
sender.email.domain.root_domain in $high_trust_sender_root_domains
and coalesce(headers.auth_summary.dmarc.pass, false)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Brand impersonation: State Farm"
description: "Detects messages impersonating State Farm insurance company through display name spoofing or similar variations, excluding legitimate communications from verified State Farm domains with proper DMARC authentication."
type: "rule"
severity: "medium"
source: |
type.inbound
and (
regex.icontains(sender.display_name, 'state\s?farm')
and not (
strings.icontains(sender.display_name, "state farm")
and (
strings.icontains(sender.display_name, "center")
or strings.icontains(sender.display_name, "arena")
or strings.icontains(sender.display_name, "stadium")
or strings.icontains(sender.display_name, "hall")
or strings.icontains(sender.display_name, "classic")
or strings.icontains(sender.display_name, "showdown")
or strings.icontains(sender.display_name, "perks at work")
)
)
)
// and the sender is not in org_domains or from State Farm domains
and not (
(
sender.email.domain.root_domain in $org_domains
or sender.email.domain.root_domain in $high_trust_sender_root_domains
or sender.email.domain.root_domain in (
"statefarm.com",
"statefarminsurance.com",
"statefarm.ca",
"statefarmbank.com",
"sfauthentication.com",
"statefarmarena.com",
"statefarmservice.com",
"statefarmisthere.com",
"digitalpayouts.com", // State Farm use this domain for claim payouts
"aravo.com", // risk management company State Farm uses
"statefarmclaims.com",
"statefarmfeedback.com", // legit survey
"statefarmsurveys.com", // legit survey
"nationalesurvey.com"
)
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and not (
sender.email.domain.root_domain in $high_trust_sender_root_domains
and coalesce(headers.auth_summary.dmarc.pass, false)
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Impersonation: Brand"
- "Social engineering"
- "Spoofing"
detection_methods:
- "Header analysis"
- "Sender analysis"
id: "bcf7eba0-ac94-52c7-81b3-5abd8019f564"