← Back to Explore
sublimemediumRule
Brand impersonation: United Healthcare
Detects messages impersonating United Healthcare (UHC) by analyzing display names that contain variations of 'United Healthcare' or 'UHC', including those with character substitutions. The rule excludes legitimate messages from verified UHC domains that pass DMARC authentication and handles high-trust sender domains appropriately.
Detection Query
type.inbound
and (
// display name contains UHC
(
strings.ilike(strings.replace_confusables(sender.display_name),
'*united healthcare*'
)
or strings.ilike(strings.replace_confusables(sender.display_name), 'UHC*')
or regex.icontains(sender.display_name, 'united ?health ?care')
)
// levenshtein distance similar to UHC
or strings.ilevenshtein(strings.replace_confusables(sender.display_name),
'united healthcare'
) <= 1
or (
regex.icontains(body.current_thread.text, 'united ?health ?care')
and (
regex.icontains(body.current_thread.text, 'quick .{0,10}survey')
// Free benefits/items lure commonly used in UHC impersonation
or regex.icontains(body.current_thread.text,
'dental (benefits?|coverage).{0,50}(free|eligible|no.{0,10}cost)'
)
or regex.icontains(body.current_thread.text,
'free.{0,30}(toothbrush|dental|benefit)'
)
)
)
// Brand name in sender local part from non-UHC domain
or (
strings.icontains(sender.email.local_part, "unitedhealthcare")
and sender.email.domain.root_domain not in (
"uhc.com",
"unitedhealthcare.com",
"uhcmedicaresolutions.com",
"unitedhealthcareupdate.com",
"yourhealth-wellnessteam.com",
"uhc-customer.com",
"leavesource.com"
)
)
)
// and the sender is not in org_domains or from UHC domains and passes auth
and not (
sender.email.domain.root_domain in $org_domains
or (
(
sender.email.domain.root_domain in (
"uhc.com",
"unitedhealthcare.com",
"uhcmedicaresolutions.com",
"unitedhealthcareupdate.com",
"yourhealth-wellnessteam.com",
"uhc-customer.com",
"leavesource.com"
)
or sender.display_name in (
"UHCOM Faculty Affairs",
"UHC Construction Services"
)
)
and headers.auth_summary.dmarc.pass
)
)
// negate UHC job related posting
and not any(ml.nlu_classifier(body.current_thread.text).topics,
.name == "Professional and Career Development"
and .confidence == "high"
)
// and the sender is not from high trust sender root domains
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Brand impersonation: United Healthcare"
description: "Detects messages impersonating United Healthcare (UHC) by analyzing display names that contain variations of 'United Healthcare' or 'UHC', including those with character substitutions. The rule excludes legitimate messages from verified UHC domains that pass DMARC authentication and handles high-trust sender domains appropriately."
type: "rule"
severity: "medium"
source: |
type.inbound
and (
// display name contains UHC
(
strings.ilike(strings.replace_confusables(sender.display_name),
'*united healthcare*'
)
or strings.ilike(strings.replace_confusables(sender.display_name), 'UHC*')
or regex.icontains(sender.display_name, 'united ?health ?care')
)
// levenshtein distance similar to UHC
or strings.ilevenshtein(strings.replace_confusables(sender.display_name),
'united healthcare'
) <= 1
or (
regex.icontains(body.current_thread.text, 'united ?health ?care')
and (
regex.icontains(body.current_thread.text, 'quick .{0,10}survey')
// Free benefits/items lure commonly used in UHC impersonation
or regex.icontains(body.current_thread.text,
'dental (benefits?|coverage).{0,50}(free|eligible|no.{0,10}cost)'
)
or regex.icontains(body.current_thread.text,
'free.{0,30}(toothbrush|dental|benefit)'
)
)
)
// Brand name in sender local part from non-UHC domain
or (
strings.icontains(sender.email.local_part, "unitedhealthcare")
and sender.email.domain.root_domain not in (
"uhc.com",
"unitedhealthcare.com",
"uhcmedicaresolutions.com",
"unitedhealthcareupdate.com",
"yourhealth-wellnessteam.com",
"uhc-customer.com",
"leavesource.com"
)
)
)
// and the sender is not in org_domains or from UHC domains and passes auth
and not (
sender.email.domain.root_domain in $org_domains
or (
(
sender.email.domain.root_domain in (
"uhc.com",
"unitedhealthcare.com",
"uhcmedicaresolutions.com",
"unitedhealthcareupdate.com",
"yourhealth-wellnessteam.com",
"uhc-customer.com",
"leavesource.com"
)
or sender.display_name in (
"UHCOM Faculty Affairs",
"UHC Construction Services"
)
)
and headers.auth_summary.dmarc.pass
)
)
// negate UHC job related posting
and not any(ml.nlu_classifier(body.current_thread.text).topics,
.name == "Professional and Career Development"
and .confidence == "high"
)
// and the sender is not from high trust sender root domains
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Impersonation: Brand"
- "Social engineering"
detection_methods:
- "Header analysis"
- "Sender analysis"
id: "f8dfff1a-8f3e-5301-b2d7-b68a78ad34db"