Detection rules › Sublime MQL
Brand impersonation: State Farm
Detects messages impersonating State Farm insurance company through display name spoofing or similar variations, excluding legitimate communications from verified State Farm domains with proper DMARC authentication.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Credential Phishing |
| Tactics and techniques | Impersonation: Brand, Social engineering, Spoofing |
Event coverage
| Message attribute |
|---|
| headers.auth_summary |
| sender |
| sender.email |
| type |
Rule body MQL
type.inbound
and (
regex.icontains(sender.display_name, 'state\s?farm')
and not (
strings.icontains(sender.display_name, "state farm")
and (
strings.icontains(sender.display_name, "center")
or strings.icontains(sender.display_name, "arena")
or strings.icontains(sender.display_name, "stadium")
or strings.icontains(sender.display_name, "hall")
or strings.icontains(sender.display_name, "classic")
or strings.icontains(sender.display_name, "showdown")
or strings.icontains(sender.display_name, "perks at work")
)
)
)
// and the sender is not in org_domains or from State Farm domains
and not (
(
sender.email.domain.root_domain in $org_domains
or sender.email.domain.root_domain in $high_trust_sender_root_domains
or sender.email.domain.root_domain in (
"statefarm.com",
"statefarminsurance.com",
"statefarm.ca",
"statefarmbank.com",
"sfauthentication.com",
"statefarmarena.com",
"statefarmservice.com",
"statefarmisthere.com",
"digitalpayouts.com", // State Farm use this domain for claim payouts
"aravo.com", // risk management company State Farm uses
"statefarmclaims.com",
"statefarmfeedback.com", // legit survey
"statefarmsurveys.com", // legit survey
"nationalesurvey.com"
)
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and not (
sender.email.domain.root_domain in $high_trust_sender_root_domains
and coalesce(headers.auth_summary.dmarc.pass, false)
)
Detection logic
Scope: inbound message.
Detects messages impersonating State Farm insurance company through display name spoofing or similar variations, excluding legitimate communications from verified State Farm domains with proper DMARC authentication.
- inbound message
all of:
- sender.display_name matches 'state\\s?farm'
not:
all of:
- sender.display_name contains 'state farm'
sender.display_name contains any of 7 patterns
centerarenastadiumhallclassicshowdownperks at work
none of:
- sender.email.domain.root_domain in $org_domains
- sender.email.domain.root_domain in $high_trust_sender_root_domains
- sender.email.domain.root_domain in ('statefarm.com', 'statefarminsurance.com', 'statefarm.ca', 'statefarmbank.com', 'sfauthentication.com', 'statefarmarena.com', 'statefarmservice.com', 'statefarmisthere.com', 'digitalpayouts.com', 'aravo.com', 'statefarmclaims.com', 'statefarmfeedback.com', 'statefarmsurveys.com', 'nationalesurvey.com')
not:
all of:
- sender.email.domain.root_domain in $high_trust_sender_root_domains
- coalesce(headers.auth_summary.dmarc.pass)
Inspects: headers.auth_summary.dmarc.pass, sender.display_name, sender.email.domain.root_domain, type.inbound. Sensors: regex.icontains, strings.icontains. Reference lists: $high_trust_sender_root_domains, $org_domains.
Indicators matched (23)
| Field | Match | Value |
|---|---|---|
regex.icontains | regex | state\s?farm |
strings.icontains | substring | state farm |
strings.icontains | substring | center |
strings.icontains | substring | arena |
strings.icontains | substring | stadium |
strings.icontains | substring | hall |
strings.icontains | substring | classic |
strings.icontains | substring | showdown |
strings.icontains | substring | perks at work |
sender.email.domain.root_domain | member | statefarm.com |
sender.email.domain.root_domain | member | statefarminsurance.com |
sender.email.domain.root_domain | member | statefarm.ca |
11 more
sender.email.domain.root_domain | member | statefarmbank.com |
sender.email.domain.root_domain | member | sfauthentication.com |
sender.email.domain.root_domain | member | statefarmarena.com |
sender.email.domain.root_domain | member | statefarmservice.com |
sender.email.domain.root_domain | member | statefarmisthere.com |
sender.email.domain.root_domain | member | digitalpayouts.com |
sender.email.domain.root_domain | member | aravo.com |
sender.email.domain.root_domain | member | statefarmclaims.com |
sender.email.domain.root_domain | member | statefarmfeedback.com |
sender.email.domain.root_domain | member | statefarmsurveys.com |
sender.email.domain.root_domain | member | nationalesurvey.com |