Skip to content

Add detection rule for Claude impersonation #4683

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
cybher0808 wants to merge 5 commits into
base: main
Choose a base branch
from
+46 −0
Open

Add detection rule for Claude impersonation #4683

Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
e04b4b4
Add detection rule for Claude impersonation with domains
cybher0808 Jun 16, 2026
92cecea
Auto-format MQL and add rule IDs
Jun 16, 2026
94847e2
Remove commented-out body link conditions
cybher0808 Jun 16, 2026
313f4c2
Refine impersonation detection rules for Claude domain
cybher0808 Jun 18, 2026
fae153b
Modify domain registration age threshold to 90 days
cybher0808 Jun 18, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
46 changes: 46 additions & 0 deletions detection-rules/impersonation_claude_domain.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
name: "Brand impersonation: Claude with newly registered domains"
description: "Detects messages impersonating Anthropic or Claude using sender display names of 'Anthropic' or 'Claude' from domains not affiliated with the legitimate brands. The rule flags messages where the sending domain, reply-to domain, or return-path domain is newly registered (under 90 days old)."
type: "rule"
severity: "medium"
source: |
type.inbound
and not sender.email.domain.root_domain in ("claude.com", "anthropic.com")
and sender.display_name in ("Anthropic", "Claude")
// links created less than 90 days
and any(body.links, network.whois(.href_url.domain).days_old <= 90)
and (
// or the return path or sender domain is less than 90 days old
network.whois(sender.email.domain).days_old <= 90
or network.whois(headers.return_path.domain).days_old <= 90
)
and (
strings.icontains(body.current_thread.text, "claude")
or strings.icontains(body.current_thread.text, "claude ads")
or strings.icontains(body.current_thread.text, "anthropic team")
or strings.contains(body.current_thread.text,
"Anthropic PBC, 548 Market St, PMB 90375, San Francisco, CA 94104"
)
or strings.icontains(subject.base, "*claude*")
or strings.icontains(subject.base, "*anthropic*")
or regex.icontains(subject.base,
"(?:early.{0,20}claude|claude.{0,20}(?:early.access|ads))"
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and not (
sender.email.domain.root_domain in $high_trust_sender_root_domains
and coalesce(headers.auth_summary.dmarc.pass, false)
)
attack_types:
- "BEC/Fraud"
- "Spam"
tactics_and_techniques:
- "Lookalike domain"
- "Social engineering"
- "Spoofing"
detection_methods:
- "Content analysis"
- "Header analysis"
- "Sender analysis"
- "Whois"
id: "02d16c54-a773-5286-b7a8-7b37551ccba5"
Loading