[PR #2814] changed rule: Brand impersonation: Experian

github-actions[bot] · github-actions[bot] · commit d9668bc5cdba · 2025-08-14T23:06:13.000Z
diff --git a/detection-rules/2814_impersonation_experian.yml b/detection-rules/2814_impersonation_experian.yml
@@ -0,0 +1,49 @@
+name: "Brand impersonation: Experian"
+description: |
+  Impersonation of Experian
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and (
+    strings.ilike(sender.display_name, '*experian*')
+    or strings.ilevenshtein(sender.display_name, 'experian') <= 1
+  )
+  and sender.email.domain.root_domain not in~ ('experian.com')
+  
+  // and not if the sender.display.name contains "via" and dmarc pass from experian.com
+  and not (
+    (
+      headers.auth_summary.dmarc.pass
+      and headers.auth_summary.dmarc.details.from.root_domain == "experian.com"
+    )
+    and strings.contains(sender.display_name, "via")
+  )
+
+  // negate highly trusted sender domains unless they fail DMARC authentication
+  and (
+    (
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
+      and not headers.auth_summary.dmarc.pass
+    )
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
+  )
+
+  // and no false positives and not solicited
+  and (
+    not profile.by_sender().any_false_positives
+    and not profile.by_sender().solicited
+  )
+  
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Impersonation: Brand"
+  - "Lookalike domain"
+  - "Social engineering"
+detection_methods:
+  - "Sender analysis"
+id: "10376802-ef81-5045-8c8b-1f847c42e373"
+og_id: "7e5c04dd-e324-53de-b1e1-91f0bdc680cd"
+testing_pr: 2814
+testing_sha: c8cd74f8fa766693dd08d1b45c7e75574bb23408
