Skip to content

Create impersonate_hubspot_suspicious_content.yml #4277

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
IndiaAce wants to merge 6 commits into
base: main
Choose a base branch
from
+70 −0
Open

Create impersonate_hubspot_suspicious_content.yml #4277

Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
297b21c
Create impersonate_hubspot_suspicious_content.yml
IndiaAce Mar 30, 2026
60e212f
Auto-format MQL and add rule IDs
Mar 30, 2026
19e9e6b
Update impersonate_hubspot_suspicious_content.yml
IndiaAce Apr 7, 2026
f8b023f
Update impersonate_hubspot_suspicious_content.yml
IndiaAce May 18, 2026
ab18a89
Reduce FPs: negate senders with 'hubspot' in email address
IndiaAce May 29, 2026
8356063
Update impersonate_hubspot_suspicious_content.yml
IndiaAce May 29, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
70 changes: 70 additions & 0 deletions detection-rules/impersonate_hubspot_suspicious_content.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,70 @@
name: "Brand impersonation: HubSpot credential theft"
description: "Detects fraudulent messages impersonating HubSpot that contain legitimate HubSpot branding elements and address information, combined with security-related topics and credential theft indicators, while excluding authenticated legitimate HubSpot communications."
type: "rule"
severity: "medium"
source: |
type.inbound
and strings.icontains(sender.display_name, 'hubspot')
and (
// branding elements: copying HubSpot's footer
2 of (
regex.contains(body.current_thread.text, '(?:HubSpot, Inc\.|HubSpot)'),
strings.icontains(body.current_thread.text, '2 Canal Park'),
strings.icontains(body.current_thread.text, '25 first street'),
strings.icontains(body.current_thread.text, 'MA 02141')
)
// or typosquatting/confusable "hubspot" in sender domain
or (
not strings.icontains(strings.replace_confusables(sender.email.domain.domain
),
'hubspot'
)
and strings.icontains(sender.email.domain.domain, 'hubsp')
)
)
and not (
strings.icontains(sender.email.local_part, 'hubspot')
or regex.icontains(sender.email.domain.domain, '^hubspot\.')
)
// negate if links go to HubSpot's click-tracking domain
and not any(body.current_thread.links,
.href_url.domain.root_domain == "hubspotlinks.com"
)
// exclude legitimate HubSpot sends
and not (
(
(
strings.iends_with(sender.email.domain.root_domain, 'hubspot.com')
or strings.iends_with(sender.email.domain.root_domain, 'hubspotqa.com')
)
and coalesce(headers.auth_summary.dmarc.pass, false)
)
or (
(
strings.iends_with(headers.return_path.domain.root_domain, 'hubspot.com')
or strings.icontains(headers.message_id, '@notifybf')
or strings.icontains(headers.message_id, '.hubspot.com')
)
and (
any(headers.domains, strings.iends_with(.root_domain, 'hubspot.com'))
or strings.icontains(headers.from.email.email, 'hubspot')
)
)
)
and not (
sender.email.domain.root_domain in $high_trust_sender_root_domains
and coalesce(headers.auth_summary.dmarc.pass, false)
)

attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Impersonation: Brand"
- "QR code"
- "Social engineering"
detection_methods:
- "Sender analysis"
- "Content analysis"
- "QR code analysis"
- "Header analysis"
id: "5df09a5b-8a87-59be-9a73-bd8765dbcc20"
Loading