[Test Rules] [PR #4314] added rule: Brand impersonation: McAfee

github-actions[bot] · github-actions[bot] · commit c08a525c0740 · 2026-04-06T19:30:15.000Z
diff --git a/detection-rules/4314_brand_impersonation_mcafee.yml b/detection-rules/4314_brand_impersonation_mcafee.yml
@@ -0,0 +1,53 @@
+name: "Brand impersonation: McAfee"
+description: "Detects messages impersonating McAfee through display name, subject line, body content, or NLU entity detection when the sender is not from verified McAfee domains or other high-trust domains with valid DMARC authentication."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and (
+    regex.icontains(body.current_thread.text,
+                    'McAfee.{0,30}(?:Defense|Protection)'
+    )
+    or regex.icontains(subject.base, 'McAfee.{0,30}(?:Defense|Protection)')
+    or regex.icontains(sender.display_name,
+                       '^[\s[:punct:]]*mc\s*a+f+ee+(?:$|[^,])'
+    )
+    or (
+      any(ml.nlu_classifier(body.current_thread.text).entities,
+          .name in ("org", "sender") and strings.icontains(.text, 'mcafee')
+      )
+      and length(filter(ml.nlu_classifier(body.current_thread.text).entities,
+                        .name == "urgency"
+                 )
+      ) >= 2
+    )
+  )
+  and not any(ml.nlu_classifier(body.current_thread.text).topics,
+              .name in ("Newsletters and Digests", "Advertising and Promotions")
+              and .confidence != "low"
+  )
+  and not (
+    sender.email.domain.root_domain in ('mcafee.com', 'mcafeesecure.com')
+    and headers.auth_summary.dmarc.pass
+  )
+  and not (
+    sender.email.domain.root_domain in $high_trust_sender_root_domains
+    and headers.auth_summary.dmarc.pass
+  )
+
+attack_types:
+  - "Credential Phishing"
+  - "BEC/Fraud"
+  - "Callback Phishing"
+tactics_and_techniques:
+  - "Impersonation: Brand"
+  - "Social engineering"
+detection_methods:
+  - "Content analysis"
+  - "Header analysis"
+  - "Natural Language Understanding"
+  - "Sender analysis"
+id: "2fc7931f-3169-5c4a-92f1-6a79b2745fbf"
+og_id: "6b593b92-b4f8-5a38-a2ba-216432df589c"
+testing_pr: 4314
+testing_sha: c4a1e6229311a7052e7e032935f811317a7d52dd
