detection.wiki

Detection rules › Sublime MQL

Brand impersonation: Aquent

Severity
medium
Type
rule
Source
github.com/sublime-security/sublime-rules

Detects messages impersonating Aquent, a staffing and talent solutions company, by analyzing sender display names and body content for Aquent branding and office addresses from unauthorized domains.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

CategoryValues
Attack typesBEC/Fraud, Credential Phishing
Tactics and techniquesImpersonation: Brand, Social engineering

Event coverage

Message attribute
body.current_thread
headers (collection)
headers.auth_summary
headers.domains (collection)
sender
sender.email
type

Rule body MQL

type.inbound
and (
  regex.icontains(sender.display_name, 'Aquent\b')
  // look for Aquent address from footer, or current address being used by actors
  or (
    strings.icontains(body.current_thread.text, 'Aquent')
    and (
      (
        strings.icontains(body.current_thread.text, '2884 Sand Hill Road')
        and strings.icontains(body.current_thread.text, 'Menlo Park, CA 94025')
      )
      or (
        strings.icontains(body.current_thread.text, '501 Boylston St')
        and strings.icontains(body.current_thread.text, 'Boston, MA 02116')
      )
    )
  )
)
and not (
  sender.email.domain.root_domain in $org_domains
  or (
    sender.email.domain.root_domain in (
      "aquent.com",
      "dice.com",
      "roberthalf.com",
      "roberthalf.be",
      "service-now.com",
      "protiviti.com",
      "atlassian.net",
      "workday.com",
      "myworkday.com",
      "rapdev.io",
      "immersivelabs.com",
      "outsidegc.com"
    )
    and headers.auth_summary.dmarc.pass
  )
)
// not a forward or reply
and (headers.in_reply_to is null or length(headers.references) == 0)
and not any(ml.nlu_classifier(body.current_thread.text).topics,
            .name == "Advertising and Promotions" and .confidence != "low"
)
// negate instances where proofpoint sends a review of a reported message via analyzer 
and not (
  sender.email.email == "analyzer@analyzer.securityeducation.com"
  and any(headers.domains, .root_domain == "pphosted.com")
  and headers.auth_summary.spf.pass
  and headers.auth_summary.dmarc.pass
)

Detection logic

Scope: inbound message.

Detects messages impersonating Aquent, a staffing and talent solutions company, by analyzing sender display names and body content for Aquent branding and office addresses from unauthorized domains.

  1. inbound message
  2. any of:
    • sender.display_name matches 'Aquent\\b'
    • all of:
      • body.current_thread.text contains 'Aquent'
      • any of:
        • all of:
          • body.current_thread.text contains '2884 Sand Hill Road'
          • body.current_thread.text contains 'Menlo Park, CA 94025'
        • all of:
          • body.current_thread.text contains '501 Boylston St'
          • body.current_thread.text contains 'Boston, MA 02116'
  3. none of:
    • sender.email.domain.root_domain in $org_domains
    • all of:
      • sender.email.domain.root_domain in ('aquent.com', 'dice.com', 'roberthalf.com', 'roberthalf.be', 'service-now.com', 'protiviti.com', 'atlassian.net', 'workday.com', 'myworkday.com', 'rapdev.io', 'immersivelabs.com', 'outsidegc.com')
      • headers.auth_summary.dmarc.pass
  4. any of:
    • headers.in_reply_to is missing
    • length(headers.references) is 0
  5. not:
    • any of ml.nlu_classifier(body.current_thread.text).topics where all hold:
      • .name is 'Advertising and Promotions'
      • .confidence is not 'low'
  6. not:
    • all of:
      • sender.email.email is 'analyzer@analyzer.securityeducation.com'
      • any of headers.domains where:
        • .root_domain is 'pphosted.com'
      • headers.auth_summary.spf.pass
      • headers.auth_summary.dmarc.pass

Inspects: body.current_thread.text, headers.auth_summary.dmarc.pass, headers.auth_summary.spf.pass, headers.domains, headers.domains[].root_domain, headers.in_reply_to, headers.references, sender.display_name, sender.email.domain.root_domain, sender.email.email, type.inbound. Sensors: ml.nlu_classifier, regex.icontains, strings.icontains. Reference lists: $org_domains.

Indicators matched (21)

FieldMatchValue
regex.icontainsregexAquent\b
strings.icontainssubstringAquent
strings.icontainssubstring2884 Sand Hill Road
strings.icontainssubstringMenlo Park, CA 94025
strings.icontainssubstring501 Boylston St
strings.icontainssubstringBoston, MA 02116
sender.email.domain.root_domainmemberaquent.com
sender.email.domain.root_domainmemberdice.com
sender.email.domain.root_domainmemberroberthalf.com
sender.email.domain.root_domainmemberroberthalf.be
sender.email.domain.root_domainmemberservice-now.com
sender.email.domain.root_domainmemberprotiviti.com
9 more
sender.email.domain.root_domainmemberatlassian.net
sender.email.domain.root_domainmemberworkday.com
sender.email.domain.root_domainmembermyworkday.com
sender.email.domain.root_domainmemberrapdev.io
sender.email.domain.root_domainmemberimmersivelabs.com
sender.email.domain.root_domainmemberoutsidegc.com
ml.nlu_classifier(body.current_thread.text).topics[].nameequalsAdvertising and Promotions
sender.email.emailequalsanalyzer@analyzer.securityeducation.com
headers.domains[].root_domainequalspphosted.com