diff --git a/detection-rules/impersonate_hubspot_suspicious_content.yml b/detection-rules/impersonate_hubspot_suspicious_content.yml
new file mode 100644
index 00000000000..439d459a7dd
--- /dev/null
+++ b/detection-rules/impersonate_hubspot_suspicious_content.yml
@@ -0,0 +1,70 @@
+name: "Brand impersonation: HubSpot credential theft"
+description: "Detects fraudulent messages impersonating HubSpot that contain legitimate HubSpot branding elements and address information, combined with security-related topics and credential theft indicators, while excluding authenticated legitimate HubSpot communications."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and strings.icontains(sender.display_name, 'hubspot')
+  and (
+    // branding elements: copying HubSpot's footer
+    2 of (
+      regex.contains(body.current_thread.text, '(?:HubSpot, Inc\.|HubSpot)'),
+      strings.icontains(body.current_thread.text, '2 Canal Park'),
+      strings.icontains(body.current_thread.text, '25 first street'),
+      strings.icontains(body.current_thread.text, 'MA 02141')
+    )
+    // or typosquatting/confusable "hubspot" in sender domain
+    or (
+      not strings.icontains(strings.replace_confusables(sender.email.domain.domain
+                            ),
+                            'hubspot'
+      )
+      and strings.icontains(sender.email.domain.domain, 'hubsp')
+    )
+  )
+  and not (
+    strings.icontains(sender.email.local_part, 'hubspot')
+    or regex.icontains(sender.email.domain.domain, '^hubspot\.')
+  )
+  // negate if links go to HubSpot's click-tracking domain
+  and not any(body.current_thread.links,
+              .href_url.domain.root_domain == "hubspotlinks.com"
+  )
+  // exclude legitimate HubSpot sends
+  and not (
+    (
+      (
+        strings.iends_with(sender.email.domain.root_domain, 'hubspot.com')
+        or strings.iends_with(sender.email.domain.root_domain, 'hubspotqa.com')
+      )
+      and coalesce(headers.auth_summary.dmarc.pass, false)
+    )
+    or (
+      (
+        strings.iends_with(headers.return_path.domain.root_domain, 'hubspot.com')
+        or strings.icontains(headers.message_id, '@notifybf')
+        or strings.icontains(headers.message_id, '.hubspot.com')
+      )
+      and (
+        any(headers.domains, strings.iends_with(.root_domain, 'hubspot.com'))
+        or strings.icontains(headers.from.email.email, 'hubspot')
+      )
+    )
+  )
+  and not (
+    sender.email.domain.root_domain in $high_trust_sender_root_domains
+    and coalesce(headers.auth_summary.dmarc.pass, false)
+  )
+
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Impersonation: Brand"
+  - "QR code"
+  - "Social engineering"
+detection_methods:
+  - "Sender analysis"
+  - "Content analysis"
+  - "QR code analysis"
+  - "Header analysis"
+id: "5df09a5b-8a87-59be-9a73-bd8765dbcc20"