You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
name: "PR# 4683 - Brand impersonation: Claude with newly registered domains"
2
+
description: "Detects messages impersonating Anthropic or Claude using sender display names of 'Anthropic' or 'Claude' from domains not affiliated with the legitimate brands. The rule flags messages where the sending domain, reply-to domain, or return-path domain is newly registered (under 60 days old)."
3
+
type: "rule"
4
+
severity: "medium"
5
+
source: |
6
+
type.inbound
7
+
and not sender.email.domain.root_domain in ("claude.com", "anthropic.com")
8
+
and sender.display_name in ("Anthropic", "Claude")
9
+
// a newly created domain
10
+
and (
11
+
all(headers.reply_to,
12
+
.email.domain.root_domain not in $free_email_providers
13
+
and network.whois(.email.domain).days_old <= 60
14
+
and .email.email != sender.email.email
15
+
)
16
+
// or the return path or sender domain is less than 60d old
17
+
or network.whois(headers.return_path.domain).days_old <= 60
18
+
or network.whois(sender.email.domain).days_old <= 60
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?v=4&size=40){kind=avatar}
0 commit comments