From e04b4b4ae60972a57c21392dddacb9bfbf2e64f0 Mon Sep 17 00:00:00 2001 From: cw-sublime Date: Tue, 16 Jun 2026 14:12:06 -0400 Subject: [PATCH 1/5] Add detection rule for Claude impersonation with domains This rule detects impersonation of Anthropic or Claude using newly registered domains. It flags messages based on sender display names and checks for domain age and specific content in the message. --- .../impersonation_claude_domain.yml | 48 +++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 detection-rules/impersonation_claude_domain.yml diff --git a/detection-rules/impersonation_claude_domain.yml b/detection-rules/impersonation_claude_domain.yml new file mode 100644 index 00000000000..b448bfa7995 --- /dev/null +++ b/detection-rules/impersonation_claude_domain.yml @@ -0,0 +1,48 @@ +name: "Brand impersonation: Claude with newly registered domains" +description: "Detects messages impersonating Anthropic or Claude using sender display names of 'Anthropic' or 'Claude' from domains not affiliated with the legitimate brands. The rule flags messages where the sending domain, reply-to domain, or return-path domain is newly registered (under 60 days old)." +type: "rule" +severity: "medium" +source: | + type.inbound + and not sender.email.domain.root_domain in ("claude.com", "anthropic.com") + and sender.display_name in ("Anthropic", "Claude") + // a newly created domain + and ( + all(headers.reply_to, + .email.domain.root_domain not in $free_email_providers + and network.whois(.email.domain).days_old <= 60 + and .email.email != sender.email.email + ) + // or the return path or sender domain is less than 60d old + or network.whois(headers.return_path.domain).days_old <= 60 + or network.whois(sender.email.domain).days_old <= 60 + ) + and ( + ( + strings.contains(body.current_thread.text, "Claude") + and strings.icontains(body.current_thread.text, "claude ads") + ) + or strings.icontains(body.current_thread.text, "anthropic, pbc") + or regex.icontains(subject.base, "(?:early.{0,20}claude|claude.{0,20}(?:early.access|ads))") + ) + // and any(body.links, + // strings.icontains(.href_url.domain.domain, 'claude-marketing-team.com') + // or strings.icontains(.href_url.domain.domain, 'anthropic-ads.com') + // ) + // negate highly trusted sender domains unless they fail DMARC authentication + and not ( + sender.email.domain.root_domain in $high_trust_sender_root_domains + and coalesce(headers.auth_summary.dmarc.pass, false) + ) +attack_types: + - "BEC/Fraud" + - "Spam" +tactics_and_techniques: + - "Lookalike domain" + - "Social engineering" + - "Spoofing" +detection_methods: + - "Content analysis" + - "Header analysis" + - "Sender analysis" + - "Whois" From 92cecea5d48312f4787cba63367ae0d2bc0472b3 Mon Sep 17 00:00:00 2001 From: CI Bot Date: Tue, 16 Jun 2026 18:16:39 +0000 Subject: [PATCH 2/5] Auto-format MQL and add rule IDs --- detection-rules/impersonation_claude_domain.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/detection-rules/impersonation_claude_domain.yml b/detection-rules/impersonation_claude_domain.yml index b448bfa7995..8d539da4a87 100644 --- a/detection-rules/impersonation_claude_domain.yml +++ b/detection-rules/impersonation_claude_domain.yml @@ -23,7 +23,9 @@ source: | and strings.icontains(body.current_thread.text, "claude ads") ) or strings.icontains(body.current_thread.text, "anthropic, pbc") - or regex.icontains(subject.base, "(?:early.{0,20}claude|claude.{0,20}(?:early.access|ads))") + or regex.icontains(subject.base, + "(?:early.{0,20}claude|claude.{0,20}(?:early.access|ads))" + ) ) // and any(body.links, // strings.icontains(.href_url.domain.domain, 'claude-marketing-team.com') @@ -46,3 +48,4 @@ detection_methods: - "Header analysis" - "Sender analysis" - "Whois" +id: "02d16c54-a773-5286-b7a8-7b37551ccba5" From 94847e25a8039d6f7bf861cbb4ed6c0a5fd3d130 Mon Sep 17 00:00:00 2001 From: cw-sublime Date: Tue, 16 Jun 2026 18:32:30 -0400 Subject: [PATCH 3/5] Remove commented-out body link conditions Removed commented-out conditions for body links in impersonation detection rule. --- detection-rules/impersonation_claude_domain.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/detection-rules/impersonation_claude_domain.yml b/detection-rules/impersonation_claude_domain.yml index 8d539da4a87..22972f2c853 100644 --- a/detection-rules/impersonation_claude_domain.yml +++ b/detection-rules/impersonation_claude_domain.yml @@ -27,10 +27,6 @@ source: | "(?:early.{0,20}claude|claude.{0,20}(?:early.access|ads))" ) ) - // and any(body.links, - // strings.icontains(.href_url.domain.domain, 'claude-marketing-team.com') - // or strings.icontains(.href_url.domain.domain, 'anthropic-ads.com') - // ) // negate highly trusted sender domains unless they fail DMARC authentication and not ( sender.email.domain.root_domain in $high_trust_sender_root_domains From 313f4c2b14f91f8d058236add5ed359655433e66 Mon Sep 17 00:00:00 2001 From: cw-sublime Date: Wed, 17 Jun 2026 22:50:49 -0400 Subject: [PATCH 4/5] Refine impersonation detection rules for Claude domain --- .../impersonation_claude_domain.yml | 25 +++++++++---------- 1 file changed, 12 insertions(+), 13 deletions(-) diff --git a/detection-rules/impersonation_claude_domain.yml b/detection-rules/impersonation_claude_domain.yml index 22972f2c853..cc9d604377a 100644 --- a/detection-rules/impersonation_claude_domain.yml +++ b/detection-rules/impersonation_claude_domain.yml @@ -6,23 +6,22 @@ source: | type.inbound and not sender.email.domain.root_domain in ("claude.com", "anthropic.com") and sender.display_name in ("Anthropic", "Claude") - // a newly created domain + // links created less than 90 days + and any(body.links, network.whois(.href_url.domain).days_old <= 90) and ( - all(headers.reply_to, - .email.domain.root_domain not in $free_email_providers - and network.whois(.email.domain).days_old <= 60 - and .email.email != sender.email.email - ) - // or the return path or sender domain is less than 60d old - or network.whois(headers.return_path.domain).days_old <= 60 - or network.whois(sender.email.domain).days_old <= 60 + // or the return path or sender domain is less than 90 days old + network.whois(sender.email.domain).days_old <= 90 + or network.whois(headers.return_path.domain).days_old <= 90 ) and ( - ( - strings.contains(body.current_thread.text, "Claude") - and strings.icontains(body.current_thread.text, "claude ads") + strings.icontains(body.current_thread.text, "claude") + or strings.icontains(body.current_thread.text, "claude ads") + or strings.icontains(body.current_thread.text, "anthropic team") + or strings.contains(body.current_thread.text, + "Anthropic PBC, 548 Market St, PMB 90375, San Francisco, CA 94104" ) - or strings.icontains(body.current_thread.text, "anthropic, pbc") + or strings.icontains(subject.base, "*claude*") + or strings.icontains(subject.base, "*anthropic*") or regex.icontains(subject.base, "(?:early.{0,20}claude|claude.{0,20}(?:early.access|ads))" ) From fae153b868f344fd46497f6b5419bd15233c7e62 Mon Sep 17 00:00:00 2001 From: cw-sublime Date: Thu, 18 Jun 2026 19:33:04 -0400 Subject: [PATCH 5/5] Modify domain registration age threshold to 90 days --- detection-rules/impersonation_claude_domain.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detection-rules/impersonation_claude_domain.yml b/detection-rules/impersonation_claude_domain.yml index cc9d604377a..418414839b8 100644 --- a/detection-rules/impersonation_claude_domain.yml +++ b/detection-rules/impersonation_claude_domain.yml @@ -1,5 +1,5 @@ name: "Brand impersonation: Claude with newly registered domains" -description: "Detects messages impersonating Anthropic or Claude using sender display names of 'Anthropic' or 'Claude' from domains not affiliated with the legitimate brands. The rule flags messages where the sending domain, reply-to domain, or return-path domain is newly registered (under 60 days old)." +description: "Detects messages impersonating Anthropic or Claude using sender display names of 'Anthropic' or 'Claude' from domains not affiliated with the legitimate brands. The rule flags messages where the sending domain, reply-to domain, or return-path domain is newly registered (under 90 days old)." type: "rule" severity: "medium" source: |